cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

445
Views
10
Helpful
4
Replies
Highlighted
Beginner

ASA 9.9 Static NAT (not Network Object NAT)

Really simple question for a newb:

 

I have a single web server that I want to share on a static IP.  I'll handle the ports via ACL instead of at the NAT level.

 

Inside Address:  webhost-in 192.168.28.11

Desired Outside Address:  webhost-out 1.2.3.4 (obviously hypothetical)

 

What I think the command should be is:

 

nat (outside,inside) source static webhost-in webhost-out no-proxy-arp

 

I've been out of the firewall management game since around 8.2, and I'm not sure if the commands are similar to what they used to be.

 

Everyone's tags (3)
4 REPLIES 4
Highlighted
Contributor

Re: ASA 9.9 Static NAT (not Network Object NAT)

If you just want to do a single 1 to 1 NAT, you should probably look at network object NAT:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/firewall/asa-99-firewall-config/nat-reference.pdf


Highlighted
VIP Advisor

Re: ASA 9.9 Static NAT (not Network Object NAT)

Hi,

NAT has changed between 8.2 and 9.x, here is an example for 9.x:- (you may need to change the inside, outside nameif if different in your environment).

 

object network WEBHOST
 host 192.168.28.11
 nat (inside,outside) static 1.2.3.4
access-list OUTSIDE->IN permit tcp any object WEBHOST eq 443

 

HTH

Highlighted
Beginner

Re: ASA 9.9 Static NAT (not Network Object NAT)

Should proxy arp be enabled or disabled for this?  There's another concept that just soars right over my head.

Highlighted
Contributor

Re: ASA 9.9 Static NAT (not Network Object NAT)

If the NAT IP address used is on the same subnet as the interface then you should probably enable proxy arp for that NAT statement.