Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community


Basic questions about ASA static NAT configuration

I have questions about basic static NAT configuration. 


I have a host inside a DMZ and I want an outside host to be able to reach it.


I understand this is a typical scenario in which static NAT would be used, such as if you had a server in a DMZ that outside hosts need to access.  


I'm using the following configuration:


object network WEB-OUTSIDE 

object network WEB-INSIDE 


   nat (dmz,outside) static WEB-OUTSIDE 


The host in the host in the DMZ.  I've set it to NAT to, which I'm using to represent a global IP  address for lab purposes. 


The outside host is /24, and is directly connected, through a layer 2 switch, to the ASA outside interface.


The ASA outside interface is /24.


My basic questions are:

1.  Is it correct, as I have done, to assign the global IP address of, which is not assigned to any host or interface, as the mapped address in the NAT configuration?  Or am I supposed to use the outside interface address on the ASA, which is  I'm assuming since it is a server it should get it's on global IP address, and that this global IP address should not need to be assigned to any interface at all.


2. When I ping from the host on the outside Network to the host in the DMZ, am I supposed to ping the global IP address,, or the real IP address,  I'm using the latest ASAv image.  It makes sense to me to use the global IP address, but want to confirm my understanding.


3.  Is this NAT configuration sufficient, or does there need to be another NAT statement to let traffic go the other way?  

Hall of Fame Guru

Re: Basic questions about ASA static NAT configuration

Your NAT setup is correct. You don't need a separate statement for the reverse direction.

In addition to NAT you need an access control list (ACL) entry to permit the traffic initiated from the outside to reach the inside.

Also, using ping to test isn't generally recommended since ASAs don't, by default, inspect icmp messages. Instead use an actual connectivity check like opening a web page on your server. That will use tcp/80 (or 443 for https) and be more representative of what you actually want (and you should allow only the required protocol and port(s) in your ACL).