Static NAT configuration on Cisco ASA Firewall

Static NAT is primarily required when a Data Center or Hub site has WEB Facing Server in DMZ Zone (or Inside Zone if no DMZ) and Users over Internet need to access the Application of Web Facing server. The applications may be Web (HTTP) Server, Email Server or even FTP server. Below is a sample scenario where an Application server is Hosted in DMZ Zone and needs to be access from Outside (Internet) Zone. For testing R1 Router is the users sitting over Internet while R2 is the Web Server in DMZ Zone –

Below is configuration for ASA version 8.3 or older.

1st step is to create Network Object named “WEB-SERVER” and then the translated IP address . Static NAT statement will define which outside address to use.

ASA(config)# object network WEB-SERVER

ASA(config-network-object)# host 192.168.0.10

ASA(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.1.10

2nd step includes creating the access list (extended) which allows any source IP address to connect to real IP address 192.168.0.10

ASA(config)# access-list OUT-TO-DMZ extended permit tcp any host 192.168.0.10

3rd step includes creation of access-group to apply access list on outside interface.

ASA(config)# access-group OUT-TO-DMZ in interface OUTSIDE
Now that configuration is in place , next we will configure Router R2 (configured as DMZ Server for testing) with Line VTY password “cisco” –

R2(config)#line vty 0 4

R2(config-line)#password cisco

R2(config-line)#login

For verification, telnet from R1 (host over Internet) to R2 (192.168.0.10) as below –

R1#192.168.1.10

Trying 192.168.1.10 … Open

User Access Verification

Password:

R2>

The nat translation over ASA can be viewed by “show xlate” command as below –

ASA(config)# sh xlate detail

1 in use, 1 most used

Flags: D – DNS, d – dump, I – identity, i – dynamic, n – no random,r – portmap, s – static

NAT from DMZ:192.168.0.10 to outside:192.168.1.10 flags s




Please follow and like us:

Related Post

Comments

comments

Add a Comment