Skip to main content

 

 

Cisco Defense Orchestrator

Enable a Server on the Inside Network to Reach the Internet Using a Public IP address

Use Case

Use this NAT strategy when you have a server with a private IP address that needs to be accessed from the internet and you have enough public IP addresses to NAT one public IP address to the private IP address. If you have a limited number of public IP addresses, see Make a server on the inside network available to users on a specific port of a public IP address (that solution may be more suitable).

Strategy

Your server has a static, private IP address, and users outside your network have to be able to reach your server. Create a network object NAT rule that translates the static, private IP address to a static, public IP address. After that, create an access policy that allows traffic from that public IP address to reach the private IP address. Finally, write these changes to your device. 

Prerequisites

Before you begin, create two network objects. Name one object servername_inside and the other object servername_outside. The servername_inside network object should contain the private IP address of your server. The servername_outside network object should contain the public IP address of your server. See Create Network Objects for instructions.

Create NAT Rule

  1. On the Devices & Services page, select the device you want to create the NAT rule for.
  2. Click View NAT Rules in the Policy section of the Actions pane.
  3. Click Create NAT Rule > Network Object NAT. 
  4. In section 1, Type, select Static. Click Continue.
  5. In section 2, Interfaces, choose inside for the source interface and outside for the destination interface. Click Continue.
  6. In section 3, Packets, perform these actions:
    1. Expand the Original Address menu, click Choose, and select the servername_inside object.
    2. Expand the Translated Address menu, click Choose, and select the servername_outside object.
  7. Click Save.
  8. Write an access policy to allow the traffic to flow from one address to the other.
  9. Return to the Devices & Services page, select the device on which you made this change, and Write changes... to the device. 

Entries in the ASA's Saved Configuration File 

Here are the entries that are created and appear in an ASA's saved configuration file as a result of this procedure:

Note: This does not apply to FTD devices.

Objects

object network servername_outside

   host 209.165.1.29

object network servername_inside

   host 10.1.2.29

NAT rule

object network servername_inside

   nat (inside,outside) static servername_outside