NATGlobal Config

nat (inside,outside) static [real-ip] [mapped-ip]

Configures static NAT to translate a real IP address to a mapped IP address for traffic between inside and outside interfaces.

Overview

The 'nat (inside,outside) static' command on Cisco ASA Firewall is used to create a one-to-one mapping between a real (private) IP address and a mapped (public) IP address. This is a fundamental Network Address Translation (NAT) technique that allows internal hosts to be reachable from external networks using a consistent public IP. The command operates in global configuration mode and is applied to a specific interface pair, typically inside (higher security level) to outside (lower security level). Static NAT is essential for servers that need to be accessible from the internet, such as web, email, or application servers, without requiring port address translation (PAT). Unlike dynamic NAT, static NAT ensures that the same public IP is always used for a given private IP, simplifying security policies and logging. On the ASA, static NAT also automatically creates a bidirectional mapping, meaning traffic initiated from either side is translated. However, by default, the ASA will proxy ARP for the mapped IP, which can cause issues if the upstream router also has a route for that IP. The 'no-proxy-arp' option disables this behavior. Additionally, the 'dns' option enables DNS rewrite, which modifies DNS responses so that internal hosts receive the real IP instead of the mapped IP when querying a domain that resolves to the public IP. This command is a cornerstone of ASA NAT configuration and is often used in conjunction with access-lists to control traffic flow. In troubleshooting, verifying NAT rules with 'show nat' and checking hit counts helps identify if traffic is being translated correctly.

Syntax·Global Config
nat (inside,outside) static [real-ip] [mapped-ip] [netmask] [dns] [no-proxy-arp] [route-lookup]

When to Use This Command

  • Mapping a private web server (10.1.1.10) to a public IP (203.0.113.10) for internet access.
  • Providing a one-to-one translation for a mail server to ensure inbound SMTP traffic reaches the correct internal host.
  • Enabling a remote user to access an internal application via a static public IP without port forwarding.
  • Allowing an internal server to initiate outbound connections with a consistent source IP for logging or security policies.

Parameters

ParameterSyntaxDescription
interface-pair(inside,outside)Specifies the source and destination interfaces. The first interface is the real side, the second is the mapped side. Typically inside (higher security) to outside (lower security).
real-ipA.B.C.DThe actual IP address of the internal host or network. For a host, use the full IP; for a subnet, use the network address with a netmask.
mapped-ipA.B.C.DThe translated IP address that will be seen on the outside network. Must be a unique public IP or an IP within the outside subnet.
netmasknetmask A.B.C.DSpecifies the subnet mask for the translation. Defaults to 255.255.255.255 for host entries. Use when translating a subnet.
dnsdnsEnables DNS rewrite. When an internal host queries a DNS server for a domain that resolves to the mapped IP, the ASA rewrites the response with the real IP.
no-proxy-arpno-proxy-arpDisables proxy ARP for the mapped IP. Use when the upstream router handles ARP for that IP to avoid conflicts.
route-lookuproute-lookupForces the ASA to perform a route lookup for the real IP before translation. Useful in complex routing scenarios.

Command Examples

Basic Static NAT for a Web Server

nat (inside,outside) static 10.1.1.10 203.0.113.10

No output is displayed upon successful configuration. Use 'show nat' to verify.

Static NAT with DNS Rewrite

nat (inside,outside) static 10.1.1.10 203.0.113.10 dns

The 'dns' keyword enables DNS rewrite so that internal hosts receive the real IP when querying the public domain.

Understanding the Output

The 'show nat' command displays all NAT rules. Each entry shows the interface pair (e.g., inside,outside), translation type (static), real IP, mapped IP, and any options (dns, no-proxy-arp). A healthy rule shows 'hitcnt' incrementing as traffic matches. If hitcnt is zero, the rule may not be used. The 'id' field uniquely identifies the rule. 'netmask' defaults to 255.255.255.255 for host entries. 'no-proxy-arp' prevents the ASA from responding to ARP requests for the mapped IP, useful when the upstream router handles ARP.

Configuration Scenarios

Static NAT for a Single Web Server

A company hosts a web server at 10.1.1.10 on the inside network. It needs to be accessible from the internet via public IP 203.0.113.10.

Topology

Internet --- [Outside: 203.0.113.1] ASA [Inside: 10.1.1.1] --- Web Server (10.1.1.10)

Steps

  1. 1.Configure the static NAT rule.
  2. 2.Ensure the outside interface has the correct IP and route.
  3. 3.Optionally, create an ACL to permit inbound HTTP traffic.
Configuration
! Configure static NAT
nat (inside,outside) static 10.1.1.10 203.0.113.10
! Optionally permit HTTP traffic
access-list OUTSIDE_IN extended permit tcp any host 203.0.113.10 eq 80
access-group OUTSIDE_IN in interface outside

Verify: Use 'show nat' to verify the rule exists. Use 'show nat detail' to see hit counts. Test by accessing http://203.0.113.10 from outside.

Watch out: If the ASA is also the default gateway for the web server, ensure the server's default gateway points to the inside interface IP (10.1.1.1).

Static NAT with DNS Rewrite for Internal Access

An internal mail server (10.1.1.20) is mapped to public IP 203.0.113.20. Internal clients use the same domain (mail.example.com) and should get the private IP when resolving internally.

Topology

Internal Clients --- ASA --- Internet (DNS server) Internal Clients also query internal DNS or use ASA DNS rewrite.

Steps

  1. 1.Configure static NAT with dns option.
  2. 2.Ensure internal DNS points to the ASA or the ASA intercepts DNS traffic.
Configuration
! Configure static NAT with DNS rewrite
nat (inside,outside) static 10.1.1.20 203.0.113.20 dns

Verify: From an internal client, ping mail.example.com. The resolved IP should be 10.1.1.20, not 203.0.113.20.

Watch out: DNS rewrite only works if the ASA sees the DNS response. Ensure DNS traffic passes through the ASA (e.g., via NAT or inspection).

Troubleshooting with This Command

When troubleshooting static NAT on a Cisco ASA, start by verifying the NAT rule exists with 'show nat'. Look for the specific rule and check the 'hitcnt' field; if it's zero, no traffic is matching the rule. Ensure the interface pair is correct (inside,outside) and that the real IP is reachable from the inside interface. Use 'show nat detail' to see additional information like translation counts and timeouts. If traffic is not being translated, check for overlapping NAT rules; the ASA processes NAT in order, and a dynamic rule might match before the static rule. Use 'show nat pool' to see dynamic translations. Also verify that the mapped IP is not used elsewhere and that the ASA is not proxy-ARPing for it unnecessarily; use 'show arp' to see if the ASA is responding for the mapped IP. If the issue is with inbound traffic, ensure there is an access-list permitting the traffic to the mapped IP; static NAT does not automatically permit traffic. Use 'packet-tracer' to simulate traffic and see the NAT translation path. For example: 'packet-tracer input outside tcp 8.8.8.8 12345 203.0.113.10 80'. This will show if the NAT rule is applied and if the ACL permits the traffic. If the DNS rewrite is not working, verify that DNS inspection is enabled ('inspect dns') and that the ASA is in the path of DNS responses. Use 'capture' to capture DNS traffic and verify the rewrite. Finally, check for any NAT exemption rules that might bypass translation.

CCNA Exam Tips

1.

Remember that static NAT creates an implicit permit for inbound traffic; no ACL is needed for the translated traffic.

2.

The 'dns' keyword is critical for scenarios where internal hosts need to resolve the public IP to the private IP.

3.

Static NAT entries are unidirectional by default; for bidirectional traffic, use 'nat (inside,outside) static ...' with 'no-proxy-arp' if needed.

Common Mistakes

Forgetting to specify the interface pair, causing the NAT rule to apply to wrong interfaces.

Omitting the netmask when translating a subnet, leading to incorrect translation of only the first host.

Using static NAT without considering ARP issues; the ASA will proxy ARP for the mapped IP by default, which may conflict with upstream routers.

Platform Notes

On Cisco ASA, static NAT is configured differently than on Cisco IOS routers. In IOS, static NAT is configured under global configuration with 'ip nat inside source static'. On ASA, the command is interface-specific and uses the 'nat' command with interface pairs. ASA also supports object-based NAT (object network) which is the modern approach, but the legacy 'nat' command is still widely used. The ASA's NAT implementation is more flexible with options like 'dns' and 'no-proxy-arp' that are not available in IOS. Additionally, ASA NAT rules are processed in order of specificity, with static NAT taking precedence over dynamic. In ASA version 8.3 and later, the NAT architecture changed significantly; the 'nat' command in global config mode is the legacy method, while object NAT is recommended for new deployments. However, the legacy command is still supported. For multi-context mode, NAT is configured per context. The ASA also supports NAT in transparent firewall mode, but the interface pair concept differs. When migrating from IOS to ASA, note that ASA does not support 'ip nat inside source static' and requires the interface pair syntax.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions