Skip to main content



Cisco Defense Orchestrator

Enable a Server on the Inside Network to Reach the Internet Using a Public IP address

Use Case

Use this NAT strategy when you have a server with a private IP address that needs to be accessed from the internet and you have enough public IP addresses to NAT one public IP address to the private IP address. If you have a limited number of public IP addresses, see Make a server on the inside network available to users on a specific port of a public IP address (that solution may be more suitable).


Your server has a static, private IP address, and users outside your network have to be able to reach your server. Create a network object NAT rule that translates the static private IP address to a static public IP address. After that, create an access policy that allows traffic from that public IP address to reach the private IP address. Finally, deploy these changes to your device. 


Before you begin, create two network objects. Name one object servername_inside and the other object servername_outside. The servername_inside network object should contain the private IP address of your server. The servername_outside network object should contain the public IP address of your server. See Create Network Objects for instructions.

Create NAT Rule

  1. On the Devices & Services page, select the device you want to create the NAT rule for.
  2. Click NAT in the Management pane at the right.
  3. Click blue_cross_button.png > Network Object NAT. 
  4. In section 1, Type, select Static. Click Continue.
  5. In section 2, Interfaces, choose inside for the source interface and outside for the destination interface. Click Continue.
  6. In section 3, Packets, perform these actions:
    1. Expand the Original Address menu, click Choose, and select the servername_inside object.
    2. Expand the Translated Address menu, click Choose, and select the servername_outside object.
  7. Skip section 4, Advanced.
  8. For Firepower Threat Defense (FTD), in section 5, Name, give the NAT rule a name.
  9. Click Save.
  10. For ASA, deploy a Network Policy rule or for FTD, deploy an access control policy rule to allow the traffic to flow from servername_inside to servername_outside.
  11. Review and deploy now the changes you made, or wait and deploy multiple changes at once. 

Entries in the ASA's Saved Configuration File 

Here are the entries that are created and appear in an ASA's saved configuration file as a result of this procedure.

Note: This does not apply to FTD devices.


object network servername_outside


object network servername_inside


NAT rule

object network servername_inside

   nat (inside,outside) static servername_outside