Cisco ASA Static NAT

Below I am going to give some examples for Policy Static NATs and Regular Basic NATs.

Configuring Policy Static NAT

Command Syntax:
static (REAL_interface,MAPPED_interface) {MAPPED_ip | interface} access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]

The following translates the REAL address 10.1.1.22 to the MAPPED address 192.168.1.22 when 10.1.1.22 sends traffic to the 200.100.2.0/28 network:

access-list NAT extended permit ip host 10.1.1.22 200.100.2.0 255.255.255.240
static (inside,outside) 192.168.1.22 access-list NAT

Cisco’s best practice is to only configure PERMIT ACE’s.

The same configuration is used for hosts to originate a connection to the mapped address. If a host on the 20.100.2.0/28 network initiates the connection to 192.168.1.22, that that host becomes the source.

One last thing. If you want to translate /24 networks, the ASA will translate the .0 and .255 addresses. To prevent this, make sure you configure an ACL to deny access.

Configuring Regular Static NAT

Command Syntax:
static (REAL_interface,MAPPED_interface) {MAPPED_ip | interface} REAL_ip [netmask mask][dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]

For example, the following policy static NAT example shows a single REAL address that is translated to two MAPPED addresses depending on the destination address:

The following translates the REAL address 10.1.1.22 to the MAPPED address 199.100.77.29 when 10.1.1.22 sends traffic to the 200.100.1.0/28 network.
The following also translates the REAL address 10.1.1.22 to the MAPPED address 199.100.77.30 when 10.1.1.22 sends traffic to the 200.100.2.0/28 network:

access-list NAT1 permit ip host 10.1.1.22 200.100.1.0 255.255.255.240
access-list NAT2 permit ip host 10.1.1.22 200.100.2.0 255.255.255.240

static (inside,outside) 199.100.77.29 access-list NAT1
static (inside,outside) 199.100.77.30 access-list NAT2

The following command maps an inside IP address (10.1.1.101) to an outside IP address (64.19.100.101):

static (inside,outside) 64.19.100.101 10.1.1.101 netmask 255.255.255.255

The following command maps the outside address (64.19.100.105) to an inside address (10.1.1.105):

static (outside,inside) 10.1.1.105 64.19.100.105 netmask 255.255.255.255

The following command statically maps an entire subnet:

static (inside,dmz) 10.1.1.0 10.1.2.0 netmask 255.255.255.0

Cisco ASA 8.3+
In the newer version of ASA IOS 8.3+, the NAT syntax has changed. Below is an example:

object network TPA-AC-DC01
 host 10.1.1.130
 nat (inside,outside) static 172.22.199.130

Here’s what it looks like in pre 8.3:

static (inside,outside) 172.22.199.130 10.1.1.130 netmask 255.255.255.255

Here’s a good link on Pre-8.3 to 8.3 NAT configuration examples:
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Cisco ASA Static NAT

Navigating VPN Tunnel Timeouts: Strategies for Maintaining Secure and Stable Connections

What is Ansible and What Are the Format Options Like YAML

AAA (Cisco Device and ISE Specific)

The Crucial Role of Documentation and Diagrams in IT Infrastructure Projects