Cisco ASA Static NAT

Below I am going to give some examples for Policy Static NATs and Regular Basic NATs.

Configuring Policy Static NAT

Command Syntax:
static (REAL_interface,MAPPED_interface) {MAPPED_ip | interface} access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]

The following translates the REAL address 10.1.1.22 to the MAPPED address 192.168.1.22 when 10.1.1.22 sends traffic to the 200.100.2.0/28 network:

access-list NAT extended permit ip host 10.1.1.22 200.100.2.0 255.255.255.240
static (inside,outside) 192.168.1.22 access-list NAT

Cisco’s best practice is to only configure PERMIT ACE’s.

The same configuration is used for hosts to originate a connection to the mapped address. If a host on the 20.100.2.0/28 network initiates the connection to 192.168.1.22, that that host becomes the source.

One last thing. If you want to translate /24 networks, the ASA will translate the .0 and .255 addresses. To prevent this, make sure you configure an ACL to deny access.

Configuring Regular Static NAT

Command Syntax:
static (REAL_interface,MAPPED_interface) {MAPPED_ip | interface} REAL_ip [netmask mask][dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]

For example, the following policy static NAT example shows a single REAL address that is translated to two MAPPED addresses depending on the destination address:

The following translates the REAL address 10.1.1.22 to the MAPPED address 199.100.77.29 when 10.1.1.22 sends traffic to the 200.100.1.0/28 network.
The following also translates the REAL address 10.1.1.22 to the MAPPED address 199.100.77.30 when 10.1.1.22 sends traffic to the 200.100.2.0/28 network:

access-list NAT1 permit ip host 10.1.1.22 200.100.1.0 255.255.255.240
access-list NAT2 permit ip host 10.1.1.22 200.100.2.0 255.255.255.240

static (inside,outside) 199.100.77.29 access-list NAT1
static (inside,outside) 199.100.77.30 access-list NAT2

The following command maps an inside IP address (10.1.1.101) to an outside IP address (64.19.100.101):

static (inside,outside) 64.19.100.101 10.1.1.101 netmask 255.255.255.255

The following command maps the outside address (64.19.100.105) to an inside address (10.1.1.105):

static (outside,inside) 10.1.1.105 64.19.100.105 netmask 255.255.255.255

The following command statically maps an entire subnet:

static (inside,dmz) 10.1.1.0 10.1.2.0 netmask 255.255.255.0

Cisco ASA 8.3+
In the newer version of ASA IOS 8.3+, the NAT syntax has changed. Below is an example:

object network TPA-AC-DC01
 host 10.1.1.130
 nat (inside,outside) static 172.22.199.130

Here’s what it looks like in pre 8.3:

static (inside,outside) 172.22.199.130 10.1.1.130 netmask 255.255.255.255

Here’s a good link on Pre-8.3 to 8.3 NAT configuration examples:
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

More Stories
Cisco Nexus 10G Connectivity with Microsoft Windows Servers