NAT on ASA 8.4 - Static NAT

In the case you want to public an inside server to the Internet, only one public address is provided you should use static NAT on ASA for the one-to-one map. This guide you help you to configure static NAT on ASA 8.4.

In details:
-Inside server:  running sshd service (DMZ2 host) on port 22. IP address: 172.16.1.15
-Public IP address provided: 113.22.14.3
-Security level:
     +inside: 100
     +dmz: 50
     +outside: 0

Scenario:

Step 1: Define a network object contains SSH server

ASA84(config)# show run object
object network SSH-SERVER
 host 172.16.1.15

Step 2: Configure NAT inside the created object

 ASA84(config)# show run nat
!
object network SSH-SERVER
 nat (dmz,outside) static 113.22.14.3
ASA84(config)#

Note: the nat function is created inside the object network. So you have to enter that object again and make the nat command. In above nat command, dmz is the source zone/interface of SSH server, outside is the dest zone. It means, the packets arrive from dmz zone to outside will be translated source address to 113.22.14.3.

Done! You've just completed configuring nat function on ASA. To really let it works, next step is to create an access list to allow connections from Internet to dmz zone.

Step 3: Create an access list for incoming connection from Internet

ASA84(config)# show run access-list                                        
access-list ALLOW-SSH extended permit tcp any host 172.16.1.15 eq ssh

To limit number of connections, I just allow ssh connections to server by using "eq ssh" key word.

 Step 4: Apply access list to interface. I use input direction to outside interface

ASA84(config)# show run access-group
access-group ALLOW-SSH in interface outside

Verify configuration

Make a connection from Internet host to 113.22.14.3

 You can see here, DMZ-SSH server has 2 connections and one from 113.22.14.2 (Internet host).