Cisco ASA Static NAT Configuration Example

Static Network Address Translation (NAT) is a method taught in network security training to map a specific internal IP address to a single external (public) IP address. This is commonly used for scenarios where you want to allow external users such as internet users to initiate connections to specific internal devices, such as hosting a web server or email server, etc.

Static NAT creates a one-to-one mapping between an internal private IP address and a public IP address, allowing inbound traffic to be directed to the correct internal host.

Here in this blog article, we will learn about static NAT and how to configure static NAT on Cisco ASA firewall. This is most useful in cases when your internet is directly terminated on your ASA firewall.

How to Configure Static NAT on Cisco ASA Firewall

Here's a step-by-step guide on how to configure Static NAT on a Cisco ASA firewall, along with a scenario. You can practice this same scenario with our Cisco Firepower Lab.

Scenario

We have an internal web server with the IP address 192.168.1.10, and we want to make it accessible from the internet using a public IP address 203.0.113.10 (make sure you have this IP purchased from your internet service provider other than your static public IP configured on ASA outside interface). Here is the topology diagram for your reference. 

Configuring Firewall

Start configuring the ASA firewall with some of the initial configuration steps though these steps are not part of static NAT.

Hostname and Domain Name: 

Set the hostname and domain name to identify the firewall.

Interface Configuration:

Configure the firewall interfaces with IP addresses and security levels.

Advance Career with Cisco Firepower TrainingGet  training from industry experts on Cisco FirepowerExplore course

Routing: 

Configure static routes to ensure proper routing between interfaces and to reach external networks.

Default Access Policy:

Set a default access policy for traffic flowing between interfaces. This allows all outbound traffic from the inside to the outside interface.

Management Access:

Configure management access to the firewall. In order to access the ASA firewall from inside the network to configure it. Here we are allowing both SSH and HTTP, however, you can allow only SSH or HTTP.

Time Configuration:

Set the correct time and time zone for the firewall. This is also not a mandatory configuration but better to have time settings on your firewalls.

Password Configuration:

Configure passwords for console, Telnet, and SSH access.

Static NAT Configuration Steps:

Connect to the Cisco ASA firewall using SSH, Telnet, or console cable and login with appropriate privileges.

Define NAT and Access Rules:

You need to define two things: the NAT rule (Static NAT) and the Access Control List (ACL) rule.

1. NAT Rule:

In this configuration, object network Internal-WebServer: Defines an object representing the internal web server, host 192.168.1.10: Specifies the internal IP address of the web server and nat (inside, outside) static 203.0.113.10: Maps the internal IP to the external (public) IP address.

2. ACL Rule:

This ACL rule allows incoming TCP traffic from any source IP to the internal web server on port 80 (HTTP).

If you seek to achieve the certification on CCNP SCOR training online then feel free to contact our learning advisors. 

Contact learner advisor

Apply the NAT and ACL rules to their respective interface. This applies the ACL rule to the outside interface.

4. Save Configuration:

Save your configuration changes using write memory or wr mem.

5. Testing:

Ensure that the public IP address (203.0.113.10) can now be used to access the internal web server (192.168.1.10) from the internet. Please note that actual commands and syntax might vary based on the version of Cisco ASA software you are using. Make sure to adapt the commands to your specific environment and software version.

Always follow best security practices and consult Cisco documentation for the most up-to-date and accurate information. You can learn more by visiting our courses on Cisco Security Courses page.