USD ($)
$
United States Dollar
India Rupee

Cisco ASA Static NAT Configuration Example

Created by Deepak Sharma in Articles 11 Nov 2024
Share

Static Network Address Translation (NAT) is a method taught in network security training to map a specific internal IP address to a single external (public) IP address.

This is commonly used for scenarios where you want to allow external users such as internet users to initiate connections to specific internal devices, such as hosting a web server or email server, etc.

Static NAT creates a one-to-one mapping between an internal private IP address and a public IP address, allowing inbound traffic to be directed to the correct internal host.

Here in this blog article, we will learn about static NAT and how to configure static NAT on a Cisco ASA firewall. This is most useful in cases when your internet is directly terminated on your ASA firewall.

How to Configure Static NAT on Cisco ASA Firewall

Here's a step-by-step guide on how to configure Static NAT on a Cisco ASA firewall, along with a scenario. You can practice this same scenario with our Cisco Firepower Lab.

Scenario

We have an internal web server with the IP address 192.168.1.10, and we want to make it accessible from the internet using a public IP address 203.0.113.10 (make sure you have this IP purchased from your internet service provider other than your static public IP configured on ASA outside interface). Here is the topology diagram for your reference. 

banner image

Configuring Firewall

Start configuring the ASA firewall with some of the initial configuration steps though these steps are not part of static NAT.

Hostname and Domain Name: 

Set the hostname and domain name to identify the firewall.

hostname ASA-Firewall

domain-name anydomain.com

Interface Configuration:

Configure the firewall interfaces with IP addresses and security levels.

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 203.0.113.1 255.255.255.0

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0


Advance Career with Cisco Firepower Training
Get  training from industry experts on Cisco FirepowerExplore course
custom banner static image

Routing: 

Configure static routes to ensure proper routing between interfaces and to reach external networks.

route outside 0.0.0.0 0.0.0.0 203.0.113.254 1

Default Access Policy:

Set a default access policy for traffic flowing between interfaces. This allows all outbound traffic from the inside to the outside interface.

access-list outside_access_in extended permit ip any any

access-group outside_access_in in interface outside

Management Access:

Configure management access to the firewall. In order to access the ASA firewall from inside the network to configure it. Here we are allowing both SSH and HTTP, however, you can allow only SSH or HTTP.

ssh 192.168.1.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

Time Configuration:

Set the correct time and time zone for the firewall. This is also not a mandatory configuration but better to have time settings on your firewalls.

clock timezone EST -5

clock summer-time EDT recurring

Password Configuration:

Configure passwords for console, Telnet, and SSH access.

username admin password privilege 15

enable password cisco@123

enable secret cisco@123

Static NAT Configuration Steps:

Connect to the Cisco ASA firewall using SSH, Telnet, or console cable and login with appropriate privileges.

Define NAT and Access Rules:

You need to define two things: the NAT rule (Static NAT) and the Access Control List (ACL) rule.

1. NAT Rule:

In this configuration, object network Internal-WebServer: Defines an object representing the internal web server, host 192.168.1.10: Specifies the internal IP address of the web server and nat (inside, outside) static 203.0.113.10: Maps the internal IP to the external (public) IP address.

object network Internal-WebServer

 host 192.168.1.10

 nat (inside,outside) static 203.0.113.10

2. ACL Rule:

This ACL rule allows incoming TCP traffic from any source IP to the internal web server on port 80 (HTTP).

access-list outside_access_in extended permit tcp any object Internal-WebServer eq www




If you seek to achieve the certification on CCNP SCOR training online then feel free to contact our learning advisors. 



banner image




3. Apply NAT and ACL Rules:

Apply the NAT and ACL rules to their respective interface. This applies the ACL rule to the outside interface.

access-group outside_access_in in interface outside

4. Save Configuration:

Save your configuration changes using write memory or wr mem.

write memory

5. Testing:

Ensure that the public IP address (203.0.113.10) can now be used to access the internal web server (192.168.1.10) from the internet. Please note that actual commands and syntax might vary based on the version of Cisco ASA software you are using. Make sure to adapt the commands to your specific environment and software version.

Always follow best security practices and consult Cisco documentation for the most up-to-date and accurate information. You can learn more by visiting our courses on Cisco Security Courses page.

Port Address Translation & It's ...»
Deepak Sharma

He is a senior solution network architect and currently working with one of the largest financial company. He has an impressive academic and training background. He has completed his B.Tech and MBA, which makes him both technically and managerial proficient. He has also completed more than 450 online and offline training courses, both in India and ...

More... | Author`s Bog | Book a Meeting

Related Articles

#Explore latest news and articles

CCNA Course Syllabus: Topics Explained 25 Nov 2024

CCNA Course Syllabus: Topics Explained

Examine the latest Cisco CCNA course syllabus and understand the details of each 200-301 exam topics with practical on lab devices. Start Now!
What is Static Routing? with Practical 6 Aug 2024

What is Static Routing? with Practical

Learn concept of static routing in networking. Understand its advantages, and differences compared to dynamic routing methods. Read More!
Static Routing Configuration on Cisco Routers 4 Nov 2024

Static Routing Configuration on Cisco Routers

Learn to configure static routes on Cisco routers in a lab scenario with a focus on IPv4 and IPv6 static and default routing concepts.

FAQ

To create a static NAT in ASA, use the command object network [object-name], followed by nat (inside,outside) static [public-ip] to map a private IP to a public IP.
An example of static NAT is mapping a private IP address, such as 192.168.1.10, to a public IP address like 203.0.113.5, allowing external access to a specific internal server.
Static NAT provides a permanent mapping between a private and public IP address, while dynamic NAT assigns a public IP from a pool temporarily, allowing multiple devices to share fewer public IPs.
Cisco ASA supports several types of NAT, including Static NAT, Dynamic NAT, PAT (Port Address Translation), and Policy-Based NAT, each serving different purposes for IP address translation and connectivity.

Comments (0)

Share

Share this post with others

Contact learning advisor

Captcha image