USD ($)
$
United States Dollar
India Rupee

Cisco ASA Static NAT Example: A Scenario

Created by Deepak Sharma in Articles 8 Jan 2024
Share

Introduction:

Here in this blog article, I will explain you about the static NAT and how to configure static NAT on Cisco ASA firewall. This is most useful in case when your internet is directly terminated on your ASA firewall.

Static Network Address Translation (NAT) is a method used in networking to map a specific internal IP address to a single external (public) IP address. This is commonly used for scenarios where you want to allow external users such as internet users to initiate connections to specific internal devices, such as hosting a web server or email server etc. Static NAT creates a one-to-one mapping between an internal private IP address and a public IP address, allowing inbound traffic to be directed to the correct internal host.

Here's a step-by-step guide on how to configure Static NAT on a Cisco ASA firewall, along with a scenario:

Scenario:

We have an internal web server with the IP address 192.168.1.10, and we want to make it accessible from the internet using a public IP address 203.0.113.10 (make sure you have this IP purchased from your internet service provider other than your static public IP configured on ASA outside interface). Here is the topology diagram for your reference. 


Start configuring the ASA firewall with some of the initial configuration steps though these steps are not part of static NAT.

Hostname and Domain Name: 

Set the hostname and domain name to identify the firewall.


hostname ASA-Firewall

domain-name anydomain.com


Interface Configuration:

Configure the firewall interfaces with IP addresses and security levels.


interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 203.0.113.1 255.255.255.0

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0


Routing: 

Configure static routes to ensure proper routing between interfaces and to reach external networks.


route outside 0.0.0.0 0.0.0.0 203.0.113.254 1


Default Access Policy:

Set a default access policy for traffic flowing between interfaces. This allows all outbound traffic from the inside to the outside interface.


access-list outside_access_in extended permit ip any any

access-group outside_access_in in interface outside


Management Access:

Configure management access to the firewall. In order to access the ASA firewall from inside network to configure it. Here we are allowing both SSH and HTTP, however you can allow only SSH or HTTP.


ssh 192.168.1.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside


Time Configuration:

Set the correct time and time zone for the firewall. This is also not a mandatory configuration but better to have time setting on your firewalls.


clock timezone EST -5

clock summer-time EDT recurring


Password Configuration:

Configure passwords for console, Telnet, and SSH access.


username admin password privilege 15

enable password cisco@123

enable secret cisco@123


Static NAT Configuration Steps:

Connect to the Cisco ASA firewall using SSH, Telnet, or console cable and log in with appropriate privileges.

Define NAT and Access Rules:

You need to define two things: the NAT rule (Static NAT) and the Access Control List (ACL) rule.

1. NAT Rule:

In this configuration, object network Internal-WebServer: Defines an object representing the internal web server, host 192.168.1.10: Specifies the internal IP address of the web server and nat (inside,outside) static 203.0.113.10: Maps the internal IP to the external (public) IP address.


object network Internal-WebServer

 host 192.168.1.10

 nat (inside,outside) static 203.0.113.10


2. ACL Rule:

This ACL rule allows incoming TCP traffic from any source IP to the internal web server on port 80 (HTTP).


access-list outside_access_in extended permit tcp any object Internal-WebServer eq www


3. Apply NAT and ACL Rules:

Apply the NAT and ACL rules to their respective interface. This applies the ACL rule to the outside interface.


access-group outside_access_in in interface outside


4. Save Configuration:

Save your configuration changes using write memory or wr mem.


write memory


5. Testing:

Ensure that the public IP address (203.0.113.10) can now be used to access the internal web server (192.168.1.10) from the internet. Please note that actual commands and syntax might vary based on the version of Cisco ASA software you are using. Make sure to adapt the commands to your specific environment and software version.

Always follow best security practices and consult Cisco documentation for the most up-to-date and accurate information.


Deepak Sharma

He is a senior solution network architect and currently working with one of the largest financial company. He has an impressive academic and training background. He has completed his B.Tech and MBA, which makes him both technically and managerial proficient. He has also completed more than 450 online and offline training courses, both in India and ...

More... | Author`s Bog | Book a Meeting

Comments (0)

Deepak Sharma

Deepak Sharma

Senior Instructor (Part Time) at UniNets Instructor role
★★★★★ 4.95
Faithful User
Expert Vendor
Golden Classes
King Seller
Fantastic Support
Loyal Writer

Upcoming batches

+91 84484 40748

Enquire Now

Share to your friends

Share

Share this post with others

Contact learning advisor

New Cisco ACI Training Live Batch Starts June 15th!
New Cisco ACI Training Live Batch Starts June 15th!
Advance your career? Don't miss out on our Cisco Application Centric Infrastructure (ACI) training ...
Enroll Now