Re: ASA 9.9 Static NAT (not Network Object NAT)

elpollodiablo · ‎09-19-2018

Really simple question for a newb:

I have a single web server that I want to share on a static IP. I'll handle the ports via ACL instead of at the NAT level.

Inside Address: webhost-in 192.168.28.11

Desired Outside Address: webhost-out 1.2.3.4 (obviously hypothetical)

What I think the command should be is:

nat (outside,inside) source static webhost-in webhost-out no-proxy-arp

I've been out of the firewall management game since around 8.2, and I'm not sure if the commands are similar to what they used to be.

gbekmezi-DD · ‎09-19-2018

If you just want to do a single 1 to 1 NAT, you should probably look at network object NAT:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/firewall/asa-99-firewall-config/nat-reference.pdf

Rob Ingram · ‎09-19-2018

Hi,

NAT has changed between 8.2 and 9.x, here is an example for 9.x:- (you may need to change the inside, outside nameif if different in your environment).

object network WEBHOST
host 192.168.28.11
nat (inside,outside) static 1.2.3.4
access-list OUTSIDE->IN permit tcp any object WEBHOST eq 443

HTH

elpollodiablo · ‎09-19-2018

Should proxy arp be enabled or disabled for this? There's another concept that just soars right over my head.

gbekmezi-DD · ‎09-20-2018

If the NAT IP address used is on the same subnet as the interface then you should probably enable proxy arp for that NAT statement.