ASA 9.9 Static NAT (not Network Object NAT)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2018 01:32 PM - edited 02-21-2020 08:15 AM
Really simple question for a newb:
I have a single web server that I want to share on a static IP. I'll handle the ports via ACL instead of at the NAT level.
Inside Address: webhost-in 192.168.28.11
Desired Outside Address: webhost-out 1.2.3.4 (obviously hypothetical)
What I think the command should be is:
nat (outside,inside) source static webhost-in webhost-out no-proxy-arp
I've been out of the firewall management game since around 8.2, and I'm not sure if the commands are similar to what they used to be.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2018 01:42 PM
https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/firewall/asa-99-firewall-config/nat-reference.pdf
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2018 02:11 PM
Hi,
NAT has changed between 8.2 and 9.x, here is an example for 9.x:- (you may need to change the inside, outside nameif if different in your environment).
object network WEBHOST
host 192.168.28.11
nat (inside,outside) static 1.2.3.4
access-list OUTSIDE->IN permit tcp any object WEBHOST eq 443
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2018 02:38 PM
Should proxy arp be enabled or disabled for this? There's another concept that just soars right over my head.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2018 03:11 PM
