cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1110
Views
10
Helpful
4
Replies

ASA 9.9 Static NAT (not Network Object NAT)

elpollodiablo
Beginner
Beginner

Really simple question for a newb:

 

I have a single web server that I want to share on a static IP.  I'll handle the ports via ACL instead of at the NAT level.

 

Inside Address:  webhost-in 192.168.28.11

Desired Outside Address:  webhost-out 1.2.3.4 (obviously hypothetical)

 

What I think the command should be is:

 

nat (outside,inside) source static webhost-in webhost-out no-proxy-arp

 

I've been out of the firewall management game since around 8.2, and I'm not sure if the commands are similar to what they used to be.

 

4 Replies 4

gbekmezi-DD
Contributor
Contributor
If you just want to do a single 1 to 1 NAT, you should probably look at network object NAT:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/firewall/asa-99-firewall-config/nat-reference.pdf


Rob Ingram
VIP Master VIP Master
VIP Master

Hi,

NAT has changed between 8.2 and 9.x, here is an example for 9.x:- (you may need to change the inside, outside nameif if different in your environment).

 

object network WEBHOST
 host 192.168.28.11
 nat (inside,outside) static 1.2.3.4
access-list OUTSIDE->IN permit tcp any object WEBHOST eq 443

 

HTH

Should proxy arp be enabled or disabled for this?  There's another concept that just soars right over my head.

If the NAT IP address used is on the same subnet as the interface then you should probably enable proxy arp for that NAT statement.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers