Enable a Server on the Inside Network to Reach the Internet Using a Public IP address

Use Case

Use this NAT strategy when you have a server with a private IP address that needs to be accessed from the internet and you have enough public IP addresses to NAT one public IP address to the private IP address. If you have a limited number of public IP addresses, see Make a server on the inside network available to users on a specific port of a public IP address (that solution may be more suitable).

Strategy

Your server has a static, private IP address, and users outside your network have to be able to reach your server. Create a network object NAT rule that translates the static private IP address to a static public IP address. After that, create an access policy that allows traffic from that public IP address to reach the private IP address. Finally, deploy these changes to your device.

Before you begin

Before you begin, create two network objects. Name one object servername_inside and the other object servername_outside. The servername_inside network object should contain the private IP address of your server. The servername_outside network object should contain the public IP address of your server. See Create Network Objects for instructions.

Procedure


Step 1

In the left pane, click Security Devices.

Step 2

Click the Devices tab to locate the device or the Templates tab to locate the model device.

Step 3

Click the appropriate device type tab.

Step 4

Select the device you want to create the NAT rule for.

Step 5

Click NAT in the Management pane at the right.

Step 6

Click > Network Object NAT.

Step 7

In section 1, Type, select Static. Click Continue.

Step 8

In section 2, Interfaces, choose inside for the source interface and outside for the destination interface. Click Continue.

Step 9

In section 3, Packets, perform these actions:

  1. Expand the Original Address menu, click Choose, and select the servername_inside object.

  2. Expand the Translated Address menu, click Choose, and select the servername_outside object.

Step 10

Skip section 4, Advanced.

Step 11

For an FDM-managed device, in section 5, Name, give the NAT rule a name.

Step 12

Click Save.

Step 13

For ASA, deploy a Network Policy rule or for FDM-managed device, deploy an access control policy rule to allow the traffic to flow from servername_inside to servername_outside.

Step 14

Review and deploy now the changes you made, or wait and deploy multiple changes at once.


Entries in the ASA's Saved Configuration File

Here are the entries that are created and appear in an ASA's saved configuration file as a result of this procedure.

Note

This does not apply to FDM-managed devices.

Objects created by this procedure:

object network servername_outside
host 209.165.1.29
object network servername_inside
host 10.1.2.29

NAT rules created by this procedure:

object network servername_inside
 nat (inside,outside) static servername_outside