Cisco ASA Static NAT Example: A Scenario

Introduction:

Here in this blog article, I will explain you about the static NAT and how to configure static NAT on Cisco ASA firewall. This is most useful in case when your internet is directly terminated on your ASA firewall.

Static Network Address Translation (NAT) is a method used in networking to map a specific internal IP address to a single external (public) IP address. This is commonly used for scenarios where you want to allow external users such as internet users to initiate connections to specific internal devices, such as hosting a web server or email server etc. Static NAT creates a one-to-one mapping between an internal private IP address and a public IP address, allowing inbound traffic to be directed to the correct internal host.

Here's a step-by-step guide on how to configure Static NAT on a Cisco ASA firewall, along with a scenario:

Scenario:

We have an internal web server with the IP address 192.168.1.10, and we want to make it accessible from the internet using a public IP address 203.0.113.10 (make sure you have this IP purchased from your internet service provider other than your static public IP configured on ASA outside interface). Here is the topology diagram for your reference. 

Start configuring the ASA firewall with some of the initial configuration steps though these steps are not part of static NAT.

Hostname and Domain Name: 

Set the hostname and domain name to identify the firewall.

Interface Configuration:

Configure the firewall interfaces with IP addresses and security levels.

Routing: 

Configure static routes to ensure proper routing between interfaces and to reach external networks.

Default Access Policy:

Set a default access policy for traffic flowing between interfaces. This allows all outbound traffic from the inside to the outside interface.

Management Access:

Configure management access to the firewall. In order to access the ASA firewall from inside network to configure it. Here we are allowing both SSH and HTTP, however you can allow only SSH or HTTP.

Time Configuration:

Set the correct time and time zone for the firewall. This is also not a mandatory configuration but better to have time setting on your firewalls.

Password Configuration:

Configure passwords for console, Telnet, and SSH access.

Static NAT Configuration Steps:

Connect to the Cisco ASA firewall using SSH, Telnet, or console cable and log in with appropriate privileges.

Define NAT and Access Rules:

You need to define two things: the NAT rule (Static NAT) and the Access Control List (ACL) rule.

1. NAT Rule:

In this configuration, object network Internal-WebServer: Defines an object representing the internal web server, host 192.168.1.10: Specifies the internal IP address of the web server and nat (inside,outside) static 203.0.113.10: Maps the internal IP to the external (public) IP address.

2. ACL Rule:

This ACL rule allows incoming TCP traffic from any source IP to the internal web server on port 80 (HTTP).

3. Apply NAT and ACL Rules:

Apply the NAT and ACL rules to their respective interface. This applies the ACL rule to the outside interface.

4. Save Configuration:

Save your configuration changes using write memory or wr mem.

5. Testing:

Ensure that the public IP address (203.0.113.10) can now be used to access the internal web server (192.168.1.10) from the internet. Please note that actual commands and syntax might vary based on the version of Cisco ASA software you are using. Make sure to adapt the commands to your specific environment and software version.

Always follow best security practices and consult Cisco documentation for the most up-to-date and accurate information.