Cisco ASA 9.1+ Static Nat example

Below shows how to configure Static nat for a web server or some kind of application running on a internal host. Basically we are port forwarding port 80 from our public IP of 1.1.1.2 to port 80 of our internal IP at 10.1.1.2. In this example Auto Nat will be used. You could also use Manual nat, I have written another blog entry on this.  This is way different than 8.2 and below. Here we create an object and then modify the object with the Static port forward we want. I

In this example my ASA outside IP is 1.1.1.1, and I want the web server to answer on 1.1.1.2.

object network 1.1.1.2
host 1.1.1.2
exit

object network 10.1.1.2
host 10.1.1.2
nat (inside,outside) static 1.1.1.2 service tcp 80 80

Somethings to note- We could name the objects anything, I just chose to use the actual IP address. For example, you could do the command ” object network Webserver-Outside” and use that name to reference the outside IP address.

Next, if I want to allow access to 10.1.1.2 from the outside world, I will need an ACL.

access-list Outside-In permit tcp any 10.1.1.2 eq 80

access-group Outside-In in interface outside

Notice the internal IP specified in the ACL – that is there on purpose. Instead of referencing the External IP  you now reference the internal.

What if the outside address answering for my web server is the outside IP of the ASA?

No problem, just have to modify that one NAT entry. Instead of the public NAT object we use the “interface” keyword.

object network 1.1.1.2
host 1.1.1.2
exit

object network 10.1.1.2
host 10.1.1.2
nat (inside,outside) static interface service tcp 80 80

Advertisements

7 responses to “Cisco ASA 9.1+ Static Nat example

  1. Jay June 25, 2015 at 8:19 am

    Thanks for your help! I was using the outside ip address in my ACE, changed to inside and working for now.

  2. tchiggins July 17, 2015 at 2:54 pm

    Am I right in saying that Proxy ARP must also be enabled on the outside interface?

    • cjcott01 July 17, 2015 at 6:19 pm

      Good questions, NAT commands cause the ASA to respond to any ARP request for the NAT object. Proxy-ARP is on my default. If you turn it off on the interface the ASA will only respond to arp requests for the IP addresses assigned the interfaces. I would have to test to make 100% sure. The NAT entries have a specific command though: no-proxy-arp which is attached to the NAT entry, so that you can turn off Proxy arp for that rule.

  3. Mery August 6, 2015 at 9:05 pm

    Where can I find and buy this model? http://ciscoasa.com/cisco-asa-5540/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: