Static NAT configuration on Cisco ASA Firewall

Static NAT is primarily required when a Data Center or Hub site has WEB Facing Server in DMZ Zone (or Inside Zone if no DMZ) and Users over Internet need to access the Application of Web Facing server. The applications may be Web (HTTP) Server, Email Server or even FTP server. Below is a sample scenario where an Application server is Hosted in DMZ Zone and needs to be access from Outside (Internet) Zone. For testing R1 Router is the users sitting over Internet while R2 is the Web Server in DMZ Zone –

Below is configuration for ASA version 8.3 or older.

1st step is to create Network Object named “WEB-SERVER” and then the translated IP address . Static NAT statement will define which outside address to use.

ASA(config)# object network WEB-SERVER

ASA(config-network-object)# host

ASA(config-network-object)# nat (DMZ,OUTSIDE) static

2nd step includes creating the access list (extended) which allows any source IP address to connect to real IP address

ASA(config)# access-list OUT-TO-DMZ extended permit tcp any host

3rd step includes creation of access-group to apply access list on outside interface.

ASA(config)# access-group OUT-TO-DMZ in interface OUTSIDE
Now that configuration is in place , next we will configure Router R2 (configured as DMZ Server for testing) with Line VTY password “cisco” –

R2(config)#line vty 0 4

R2(config-line)#password cisco


For verification, telnet from R1 (host over Internet) to R2 ( as below –


Trying … Open

User Access Verification



The nat translation over ASA can be viewed by “show xlate” command as below –

ASA(config)# sh xlate detail

1 in use, 1 most used

Flags: D – DNS, d – dump, I – identity, i – dynamic, n – no random,r – portmap, s – static

NAT from DMZ: to outside: flags s

Please follow and like us:

Related Post



Add a Comment