Below I am going to give some examples for Policy Static NATs and Regular Basic NATs.
Configuring Policy Static NAT
Command Syntax:
static (REAL_interface,MAPPED_interface) {MAPPED_ip | interface} access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
The following translates the REAL address 10.1.1.22 to the MAPPED address 192.168.1.22 when 10.1.1.22 sends traffic to the 200.100.2.0/28 network:
access-list NAT extended permit ip host 10.1.1.22 200.100.2.0 255.255.255.240 static (inside,outside) 192.168.1.22 access-list NAT
Cisco’s best practice is to only configure PERMIT ACE’s.
The same configuration is used for hosts to originate a connection to the mapped address. If a host on the 20.100.2.0/28 network initiates the connection to 192.168.1.22, that that host becomes the source.
One last thing. If you want to translate /24 networks, the ASA will translate the .0 and .255 addresses. To prevent this, make sure you configure an ACL to deny access.
Configuring Regular Static NAT
Command Syntax:
static (REAL_interface,MAPPED_interface) {MAPPED_ip | interface} REAL_ip [netmask mask][dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
For example, the following policy static NAT example shows a single REAL address that is translated to two MAPPED addresses depending on the destination address:
The following translates the REAL address 10.1.1.22 to the MAPPED address 199.100.77.29 when 10.1.1.22 sends traffic to the 200.100.1.0/28 network.
The following also translates the REAL address 10.1.1.22 to the MAPPED address 199.100.77.30 when 10.1.1.22 sends traffic to the 200.100.2.0/28 network:
access-list NAT1 permit ip host 10.1.1.22 200.100.1.0 255.255.255.240 access-list NAT2 permit ip host 10.1.1.22 200.100.2.0 255.255.255.240 static (inside,outside) 199.100.77.29 access-list NAT1 static (inside,outside) 199.100.77.30 access-list NAT2
The following command maps an inside IP address (10.1.1.101) to an outside IP address (64.19.100.101):
static (inside,outside) 64.19.100.101 10.1.1.101 netmask 255.255.255.255
The following command maps the outside address (64.19.100.105) to an inside address (10.1.1.105):
static (outside,inside) 10.1.1.105 64.19.100.105 netmask 255.255.255.255
The following command statically maps an entire subnet:
static (inside,dmz) 10.1.1.0 10.1.2.0 netmask 255.255.255.0
Cisco ASA 8.3+
In the newer version of ASA IOS 8.3+, the NAT syntax has changed. Below is an example:
object network TPA-AC-DC01 host 10.1.1.130 nat (inside,outside) static 172.22.199.130
Here’s what it looks like in pre 8.3:
static (inside,outside) 172.22.199.130 10.1.1.130 netmask 255.255.255.255
Here’s a good link on Pre-8.3 to 8.3 NAT configuration examples:
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples