We help IT Professionals succeed at work.
Get Started

Static NAT ASA

Zeke2016 asked
Last Modified: 2015-04-01
Hello Experts,

I just finished one project where I moved the exchange server to the new remote site thanks to you (port forwarding). Now, there is another exchange server that I need to move (Static NAT 1 to 1) Just learned about it. Our network engineer left and I have to finish several projects that he was working on and then look to hire someone. I am not network guy, so please include as much details as possible.

Former network engineer did leave a text file for this change...I just would like to make sure what needs to be configured in which order...or if the order in this text file is good...and also in which configuration mode the commands should be typed...For example, in config t, under the object group...etc...(in order)...

Firewall: ASA
Version 8.6

Trying to move 2nd exchange server to our other site. New IPs. Static NAT 1 to 1. Several IPs from the outside that need access. Several ports to be opened and ACLs to be assigned. Please see below the configuration that needs to be implemented.

object network objInternal-

object network objExternal-62.x.x.1
host 62.x.x.1

nat (inside,outside) source static objInternal- objExternal-62.x.x.1

object-group service IN_TRAFFIC tcp
port-object eq https
port-object eq smtp

object-group network Cloud_IPS
network-object host 22.x.x.x
network-object host 23.x.x.x

object-group network Cloud_IPS_2
network-object host 24.x.x.x
network-object host 25.x.x.x

object-group network Nodes_Ex (same IP as above for objExternal)
network-object host 62.x.x.1

object-group network Nodes_In (same IP as above for objInternal)
network-object host

access-list access_interface_out extended permit tcp object-group Cloud_IPS
object-group  Nodes_In eq smtp
access-list access_interface_out extended permit tcp object-group Cloud_IPS_2

object-group Nodes_In object-group IN_TRAFFIC

access-list access_interface_out extended permit tcp any4 object-group Nodes_In eq https

Also, do i need any additional command to apply these ACLs to the outside interface?

Thank you.

Watch Question
Senior Network Engineer
This problem has been solved!
Unlock 1 Answer and 17 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE