cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

846
Views
10
Helpful
4
Replies
elpollodiablo
Beginner

ASA 9.9 Static NAT (not Network Object NAT)

Really simple question for a newb:

 

I have a single web server that I want to share on a static IP.  I'll handle the ports via ACL instead of at the NAT level.

 

Inside Address:  webhost-in 192.168.28.11

Desired Outside Address:  webhost-out 1.2.3.4 (obviously hypothetical)

 

What I think the command should be is:

 

nat (outside,inside) source static webhost-in webhost-out no-proxy-arp

 

I've been out of the firewall management game since around 8.2, and I'm not sure if the commands are similar to what they used to be.

 

4 REPLIES 4
gbekmezi-DD
Contributor

If you just want to do a single 1 to 1 NAT, you should probably look at network object NAT:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/firewall/asa-99-firewall-config/nat-reference.pdf


Rob Ingram
VIP Mentor

Hi,

NAT has changed between 8.2 and 9.x, here is an example for 9.x:- (you may need to change the inside, outside nameif if different in your environment).

 

object network WEBHOST
 host 192.168.28.11
 nat (inside,outside) static 1.2.3.4
access-list OUTSIDE->IN permit tcp any object WEBHOST eq 443

 

HTH

Should proxy arp be enabled or disabled for this?  There's another concept that just soars right over my head.

If the NAT IP address used is on the same subnet as the interface then you should probably enable proxy arp for that NAT statement.
Content for Community-Ad