Cisco ASA 9.1+ Static Nat example
Posted by on February 20, 2015
Below shows how to configure Static nat for a web server or some kind of application running on a internal host. Basically we are port forwarding port 80 from our public IP of 1.1.1.2 to port 80 of our internal IP at 10.1.1.2. In this example Auto Nat will be used. You could also use Manual nat, I have written another blog entry on this. This is way different than 8.2 and below. Here we create an object and then modify the object with the Static port forward we want. I
In this example my ASA outside IP is 1.1.1.1, and I want the web server to answer on 1.1.1.2.
object network 1.1.1.2
host 1.1.1.2
exit
object network 10.1.1.2
host 10.1.1.2
nat (inside,outside) static 1.1.1.2 service tcp 80 80
Somethings to note- We could name the objects anything, I just chose to use the actual IP address. For example, you could do the command ” object network Webserver-Outside” and use that name to reference the outside IP address.
Next, if I want to allow access to 10.1.1.2 from the outside world, I will need an ACL.
access-list Outside-In permit tcp any 10.1.1.2 eq 80
access-group Outside-In in interface outside
Notice the internal IP specified in the ACL – that is there on purpose. Instead of referencing the External IP you now reference the internal.
What if the outside address answering for my web server is the outside IP of the ASA?
No problem, just have to modify that one NAT entry. Instead of the public NAT object we use the “interface” keyword.
object network 1.1.1.2
host 1.1.1.2
exit
object network 10.1.1.2
host 10.1.1.2
nat (inside,outside) static interface service tcp 80 80
Thanks for your help! I was using the outside ip address in my ACE, changed to inside and working for now.
Glad to hear it!
Am I right in saying that Proxy ARP must also be enabled on the outside interface?
Good questions, NAT commands cause the ASA to respond to any ARP request for the NAT object. Proxy-ARP is on my default. If you turn it off on the interface the ASA will only respond to arp requests for the IP addresses assigned the interfaces. I would have to test to make 100% sure. The NAT entries have a specific command though: no-proxy-arp which is attached to the NAT entry, so that you can turn off Proxy arp for that rule.
Where can I find and buy this model? http://ciscoasa.com/cisco-asa-5540/
Hi Mery, ebay would be a good place to look.http://www.ebay.com/sch/i.html?_from=R40&_trksid=p2050601.m570.l1313.TR3.TRC1.A0.H0.Xcisco+5540.TRS0&_nkw=cisco+5540&_sacat=0
Hello House,
Please i need help on port to port forwarding on ASA 5512-X. Below is the config and the port redirection is working but the range of ports and other ports permitted in the access-list are not opening. Kindly HELP pls….
object network TEST_PUBLIC_IP
host 10.10.10.10
object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200
object network TEST_PRIVATE_IP
host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP service tcp 8085 www
access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101
access-group Outside_IN in interface outside