Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1826
Views
10
Helpful
4
Replies

ASA 9.9 Static NAT (not Network Object NAT)

elpollodiablo
Level 1
Level 1

‎09-19-2018 01:32 PM - edited ‎02-21-2020 08:15 AM

Really simple question for a newb:

 

I have a single web server that I want to share on a static IP.  I'll handle the ports via ACL instead of at the NAT level.

 

Inside Address:  webhost-in 192.168.28.11

Desired Outside Address:  webhost-out 1.2.3.4 (obviously hypothetical)

 

What I think the command should be is:

 

nat (outside,inside) source static webhost-in webhost-out no-proxy-arp

 

I've been out of the firewall management game since around 8.2, and I'm not sure if the commands are similar to what they used to be.

 

0 Helpful
4 Replies 4

gbekmezi-DD
Level 5
Level 5

‎09-19-2018 01:42 PM

If you just want to do a single 1 to 1 NAT, you should probably look at network object NAT:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/firewall/asa-99-firewall-config/nat-reference.pdf


Rob Ingram
VIP
VIP

‎09-19-2018 02:11 PM

Hi,

NAT has changed between 8.2 and 9.x, here is an example for 9.x:- (you may need to change the inside, outside nameif if different in your environment).

 

object network WEBHOST
 host 192.168.28.11
 nat (inside,outside) static 1.2.3.4
access-list OUTSIDE->IN permit tcp any object WEBHOST eq 443

 

HTH

elpollodiablo
Level 1
Level 1
In response to Rob Ingram

‎09-19-2018 02:38 PM

Should proxy arp be enabled or disabled for this?  There's another concept that just soars right over my head.

0 Helpful

gbekmezi-DD
Level 5
Level 5
In response to elpollodiablo

‎09-20-2018 03:11 PM

If the NAT IP address used is on the same subnet as the interface then you should probably enable proxy arp for that NAT statement.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top