Configuring NAT on the Cisco PIX or ASA firewalls.

If you do not want to expose your server’s IP address to an external client you can use Network Address Tranalation (NAT) to hide it. For example if your servers IP address is then you can publish it to an external client as The reason you would do this is to enhance the security of your server, you want to make the hacker earn their self pride or whatever it is that motivates them.

There are many ways to achieve this, NAT, VIP, MIP etc. In this article I will explain NAT (natting) on a Cisco PIX, ASA or router.

First you need to log onto the firewall or router. Enter en (enable) to get into the privilege mode, you will then be prompted for the password. Enter Config T to get into the configure terminal mode. You can now start confguring the network appliance.

Below is what your should see in the running config after you complete the configuration.

static (inside,outside) netmask 0 0

The above line means that the IP address (outside interface) is mapped to (inside interface). Clients in the outside interface will connect to resources on by referencing the natted (NAT) IP

You also need to configure the access list or policy to allow traffic from the outside interface to flow into the inside interface. The access list then needs to be applied to the outside intefrace.

access-list Allowed_Traffic permit tcp host any host eq www log

The above means that the name of the access list is Allowed_Traffic. Permit TCP traffic from any host to, only allow if service request is for www (TCP port 80), and log all traffic.

You then need to apply the access list to the outside interface.

access-group Allowed_Traffic in interface outside

2 comments for “Configuring NAT on the Cisco PIX or ASA firewalls.

  1. Pingback: How do you get client a machine and server to communicate without disabling firewall on server? | Technical Help

Comments are closed.