Cisco ASA 5505 User Manual
Page 559
29-5
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 29 Information About NAT
NAT Types
Static NAT with Identity Port Translation
The following static NAT with port translation example provides a single address for remote users to
access FTP, HTTP, and SMTP. These servers are actually different devices on the real network, but for
each server, you can specify static NAT with port translation rules that use the same mapped IP address,
but different ports. (See
. See the
“Single Address for FTP, HTTP, and SMTP (Static
NAT-with-Port-Translation)” section on page 30-18
for details on how to configure this example.)
Figure 29-3
Static NAT with Port Translation
Static NAT with Port Translation for Non-Standard Ports
You can also use static NAT with port translation to translate a well-known port to a non-standard port
or vice versa. For example, if inside web servers use port 8080, you can allow outside users to connect
to port 80, and then undo translation to the original port 8080. Similarly, to provide extra security, you
can tell web users to connect to non-standard port 6785, and then undo translation to port 80.
Static Interface NAT with Port Translation
You can configure static NAT to map a real address to an interface address/port combination. For
example, if you want to redirect Telnet access for the ASA outside interface to an inside host, then you
can map the inside host IP address/port 23 to the ASA interface address/port 23. (Note that although
Telnet to the ASA is not allowed to the lowest security interface, static NAT with interface port
translation redirects the Telnet session instead of denying it).
Host
Outside
Inside
Undo Translation
10.1.2.27
209.165.201.3:21
Undo Translation
10.1.2.28
209.165.201.3:80
Undo Translation
10.1.2.29
209.165.201.3:25
FTP server
10.1.2.27
HTTP server
10.1.2.28
SMTP server
10.1.2.29
130031