Configure Static NAT on a Cisco ASA

A common request is to enable external access to a web or mail server from the internet. The process is known as Static (one to one) NAT AKA Port Forwarding.

This solution is for Cisco ASA’s running version 8.2 or lower. If you have 8.3 or higher you can check this:
http://www.petenetlive.com/KB/Article/0000691.htm

The first step is to configure your network object(s).

1. Connect to ADSM by browsing to the IP address of your Firewall under HTTPS.
browse
Download the ASDM Launcher and login with your username and password.
Launcher
3. Go to Configuration > Objects > Network Objects/Groups. Add any internal hosts which you would like to be accessed from outside the network. In this example I will forward SMTP port 25 to my internal mail server. Click Add > Network Object…
add object
Input a name, IP address, description and change the subnet mask to all 255’s. Click OK.
object
4. Go to Configuration > NAT Rules. Click Add > Add Static NAT Rule….

add static
In source select the network object you just created. Change the Translated Interface to Outside. In my case I have a Dynamic IP address assigned by my ISP so I have selected “Use Interface IP Address”; but if you have a static IP, input it here.

Click the checkbox “Enable Port Address Translation (PAT)” and input the desired port. Make sure you click Apply after.
nat rule
5. Go to Configuration > Access Rules. Click Add. In destination select your Network Object. In Service browse to find what you want.

access rule
If you can’t find a pre-defined service you can type TCP/3389, UDP/5061 or whatever port you require. Click OK.

Now we should be all set to go!

Normally I will use Telnet to test the configuration works as expected. This may be difficult if you don’t have an external network available to test with. I tend to use my mobile as a Wifi Hotspot and connect to it with my laptop. You can do this with the latest iPhone and Android devices.

Advertisements
Tagged with: , , ,
Posted in ASA, Cisco, Networking
One comment on “Configure Static NAT on a Cisco ASA

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: