Static Network Address Translation (NAT) is a method taught in network security training to map a specific internal IP address to a single external (public) IP address.
This is commonly used for scenarios where you want to allow external users such as internet users to initiate connections to specific internal devices, such as hosting a web server or email server, etc.
Static NAT creates a one-to-one mapping between an internal private IP address and a public IP address, allowing inbound traffic to be directed to the correct internal host.
Here in this blog article, we will learn about static NAT and how to configure static NAT on a Cisco ASA firewall. This is most useful in cases when your internet is directly terminated on your ASA firewall.
Here's a step-by-step guide on how to configure Static NAT on a Cisco ASA firewall, along with a scenario. You can practice this same scenario with our Cisco Firepower Lab.
We have an internal web server with the IP address 192.168.1.10, and we want to make it accessible from the internet using a public IP address 203.0.113.10 (make sure you have this IP purchased from your internet service provider other than your static public IP configured on ASA outside interface). Here is the topology diagram for your reference.
Start configuring the ASA firewall with some of the initial configuration steps though these steps are not part of static NAT.
Hostname and Domain Name:
Set the hostname and domain name to identify the firewall.
hostname ASA-Firewall domain-name anydomain.com |
Interface Configuration:
Configure the firewall interfaces with IP addresses and security levels.
interface GigabitEthernet0/0 nameif outside security-level 0 ip address 203.0.113.1 255.255.255.0 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 |
Routing:
Configure static routes to ensure proper routing between interfaces and to reach external networks.
route outside 0.0.0.0 0.0.0.0 203.0.113.254 1 |
Default Access Policy:
Set a default access policy for traffic flowing between interfaces. This allows all outbound traffic from the inside to the outside interface.
access-list outside_access_in extended permit ip any any access-group outside_access_in in interface outside |
Management Access:
Configure management access to the firewall. In order to access the ASA firewall from inside the network to configure it. Here we are allowing both SSH and HTTP, however, you can allow only SSH or HTTP.
ssh 192.168.1.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 inside |
Time Configuration:
Set the correct time and time zone for the firewall. This is also not a mandatory configuration but better to have time settings on your firewalls.
clock timezone EST -5 clock summer-time EDT recurring |
Password Configuration:
Configure passwords for console, Telnet, and SSH access.
username admin password enable password cisco@123 enable secret cisco@123 |
Connect to the Cisco ASA firewall using SSH, Telnet, or console cable and login with appropriate privileges.
Define NAT and Access Rules:
You need to define two things: the NAT rule (Static NAT) and the Access Control List (ACL) rule.
1. NAT Rule:
In this configuration, object network Internal-WebServer: Defines an object representing the internal web server, host 192.168.1.10: Specifies the internal IP address of the web server and nat (inside, outside) static 203.0.113.10: Maps the internal IP to the external (public) IP address.
object network Internal-WebServer host 192.168.1.10 nat (inside,outside) static 203.0.113.10 |
2. ACL Rule:
This ACL rule allows incoming TCP traffic from any source IP to the internal web server on port 80 (HTTP).
access-list outside_access_in extended permit tcp any object Internal-WebServer eq www |
If you seek to achieve the certification on CCNP SCOR training online then feel free to contact our learning advisors.
Apply the NAT and ACL rules to their respective interface. This applies the ACL rule to the outside interface.
access-group outside_access_in in interface outside |
4. Save Configuration:
Save your configuration changes using write memory or wr mem.
write memory |
5. Testing:
Ensure that the public IP address (203.0.113.10) can now be used to access the internal web server (192.168.1.10) from the internet. Please note that actual commands and syntax might vary based on the version of Cisco ASA software you are using. Make sure to adapt the commands to your specific environment and software version.
Always follow best security practices and consult Cisco documentation for the most up-to-date and accurate information. You can learn more by visiting our courses on Cisco Security Courses page.
He is a senior solution network architect and currently working with one of the largest financial company. He has an impressive academic and training background. He has completed his B.Tech and MBA, which makes him both technically and managerial proficient. He has also completed more than 450 online and offline training courses, both in India and ...
More... | Author`s Bog | Book a Meeting