This video and documentation is based on ASA software version 9.0(1) and applies to version 8.3 and later.
- Create a network object identifying the internal host
- Within the network object that you just created, create a NAT statement identifying the outside interface, its IP address, and the type of traffic to be forwarded to the internal host
- Create an Access-Control List to permit the traffic flow against the security level from outside to inside.
- Apply the Access-Group to the outside interface.
object network InternalHost host 192.168.102.5
nat (inside,outside) static interface service tcp 80 80
Note: In the static NAT statement above, the use of the term interface tells NAT to use whatever address is on the outside interface. The first use of 80 identifies the originating port number. The second use of 80 identifies the destination port number. Build the Access-Control List Build the Access-Control List to permit the traffic flow (this statement goes on a single line): access-list OutsideToWebServer permit tcp any host 192.168.102.5 eq www Apply the Access-Control List Apply the ACL to the outside interface using the Access-Group command: access-group OutsideToWebServer in interface outside This is the complete configuration:
When successfully implemented, this configuration will permit a host on the outside network, such as the public Internet, to connect to the internal Web server using the address on the ASA's outside interface. Configuring the ASA with Multiple Outside Interface Addresses It is not possible to assign multiple IP addresses to the outside interface on a Cisco ASA Security Appliance. It is possible, however, to configure the ASA to forward different outside addresses to different hosts on the inside network. For example, you have a /29 block of addresses assigned by your ISP. Also, suppose you have a mail server using POP3 and SMTP and a Web server using HTTP and HTTPS on the inside network. You want each of the servers to be reachable via different outside addresses. You can configure static NAT to accomplish this. Use this diagram with the documentation. As above, in the real world the outside interface would probably be configured with registered, public addresses instead of the RFC 1918 addresses shown here.
The steps are similar to single-address static NAT configuration:
- Configure a network object for each internal host with a static NAT static statement specifying the outside address to be used and the service types (port numbers) to be forwarded.
- Configure access-control lists to permit the traffic flows.
- Apply the access-control lists to the outside interface with an access-group statement.
Configure Network Objects
These identify the internal hosts, the desired outside IP address, and the type of service to be forwarded. (The exclamation marks are for formatting to improve readability and are not required for the configuration.)
object network WebServer-HTTP
nat (inside,outside) static 192.168.1.194 service tcp 80 80
object network WebServer-HTTPS
nat (inside,outside) static 192.168.1.194 service tcp 443 443
object network MailServer-SMTP
nat (inside,outside) static 192.168.1.195 service tcp 25 25
object network MailServer-POP3
nat (inside,outside) static 192.168.1.195 service tcp 110 110
Note: In the above configurations, the host statement identifies the internal server (192.168.102.5 is the Web server and 192.168.102.6 is the mail server). The NAT statement identifies the external address used to forward the specified packets to the internal host.
Configure Access-Control List
This Access-Control List permits the traffic flows against the security levels (each access-list statement goes on a single line).
access-list OutsideToInside permit tcp any host 192.168.102.5 eq 80
access-list OutsideToInside permit tcp any host 192.168.102.5 eq 443
access-list OutsideToInside permit tcp any host 192.168.102.6 eq 25
access-list OutsideToInside permit tcp any host 192.168.102.6 eq 110
Apply the Access-Control List to the Outside Interface
access-group OutsideToInside in interface outside
Here is the complete configuration:
For more information about configuring the Cisco ASA Security Appliance, please see my book The Accidental Administrator: Cisco ASA Security Appliance, available through Amazon and other resellers or through the soundtraining.net bookstore. Also, consider attending my Cisco ASA Security Appliance 101 workshop, either a public, open-enrollment workshop or available for onsite training at your location with your group. More information is available here.
You have permission to reprint this article in your newsletter, blog, website, or publication if you include the following paragraph:
Don R. Crawley is a longtime geek and President/Chief Technologist of soundtraining.net with more than 35 years in workplace technology. He holds multiple technical certifications and is the author of numerous books on information systems and technology, including The Accidental Administrator: Cisco ASA Security Appliance. He has spoken to audiences worldwide on both technical topics and IT customer service. His clients include well-known names such as Facebook, Kraft, Discover Card, Colgate University, State of Washington, State of California, City of Los Angeles, Perot Systems, the United States Pacific Command, the US Navy, Mercy Corps, and hundreds of others. To view this Seattle IT pro's upcoming events or to receive free Cisco tutorials, Linux tutorials, IT customer service tips, and other guides that will help you with Cisco training, Linux training, customer service training, and other skills you need to know to build a great career in IT, visit www.soundtraining.net or contact us at firstname.lastname@example.org or 206-988-5858.