Static NAT is generally used to provide access from the Outside zone, such as the internet, to a server on the DMZ of your corporate network.
Let's observe the following topology, there's one server on the DMZ, assuming its IP address is 172.16.1.50, however, users on the internet would require access to the server and the FTP service:
To configure static NAT on the ASA using the CLI, the following steps will guide us through the process:
- Create a network object, add the server as an object, and create the NAT rule:
ASA-1(config)# object network DMZ-SVR
ASA-1(config-network-object)# host 172.16.1.50
ASA-1(config-network-object)# nat (dmz,outside) static 200.1.1.1
ASA-1(config-network-object)# exit
- Create an Extended ACL to permit IP traffic from anywhere to the server only:
ASA-1(config)# access-list Out-DMZ extended permit ip any host 172.16.1.50
- Apply the ACL on the Outside interface, filtering incoming traffic:
ASA-1(config)# access-group Out-DMZ in interface outside
- create a service policy and apply it on the DMZ interface:
ASA-1(config)# policy-map global-policy
ASA-1(config-pmap)# class inspection_default
ASA-1(config-pmap-c)# access-list ICMP extended permit icmp any any
ASA-1(config)# access-group ICMP in interface dmz