Network address translation (NAT) allows you to translate private to public addresses. With CISCO ASA firewall, You can configure 2 types of NAT: - Dynamic NAT (including PAT - port address translation) - Static NAT

1. How to Configure NAT on Cisco ASA
Network address translation (NAT) allows you to translate private to public
addresses.
With CISCO ASA firewall, You can configure 2 types of NAT:
- Dynamic NAT (including PAT - port address translation)
- Static NAT
Nat example (Web server must send responses to a client on public/mapped
address):
Dynamic NAT allows You to translate internal addresses to a predefined set or pool of
public addresses You define. The "nat" command defines which internal hosts, and
the "global" command defines public address range in which internal addresses will
be translated. Number "1" in nat configuration defines NAT ID (number of NAT rule),
and must match on "nat" and "global" command:
ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0
ASA1(config)#global (outside) 1 193.222.168.113-193.222.168.116 255.255.255.240
PAT translates a range of internal addresses to 1 public address by mapping them to a
different ports:
ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0
ASA1(config)#global (outside) 1 193.222.168.113
Instead of ip address in a global command, it's possible to define word "interface".
That way, the internal addresses will automatically be PAT-ed into the address of an
outside inteface:
ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0

2. ASA1(config)#global (outside) 1 interface
Static NAT, allows You to permanently map public ip address and port to an inside
one (port forwarding). Along with that, cisco allows 1:1 NAT, or "mirroring", which
translates all internal ports of a private address to the same ports on a public address
(bi-directional). Of course, to enable traffic flow from the "outsude" to the "inside"
interface, traffic also must be allowed with the Access control list.
Port forwarding:
Port forwarding of publicly available ports to an internal addresses. After configuring
NAT, to enable traffic flow from outside to inside hosts, You must apply access-lists
which will allow the traffic. Finally, to activate acl, bind it on a "outside" interface
with the "access-group" command:
ASA1(config)#static (inside,outside) tcp 209.165.201.3 http 10.2.2.28 http netmask
255.255.255.255
ASA1(config)#static (inside,outside) tcp 209.165.201.3 ftp 10.2.2.27 ftp netmask
255.255.255.255
ASA1(config)#static (inside,outside) tcp 209.165.201.3 smtp 10.2.2.29 smtpnetmask
255.255.255.255
ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3
eq http
ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3
eq ftp

3. ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3
eqsmtp
ASA1(config)#access-group outside_in_acl in interface outside
Static 1:1nat, (every public port maped to the same internal port):
ASA1(config)#static (inside,outside) 209.165.201.4 10.2.2.45 netmask
255.255.255.255
To allow traffic flow from lower security interface "outside", to higher security
interface "inside", access control list must be applied.
More Related Cisco ASA Tips:
Site-to-Site IPSEC VPN between Two Cisco ASA 5520
How to Configure Dual ISP on Cisco ASA 5505?
Cisco ASA 8.4 vs. Typical NAT/PAT Configuration
Eight Commands on a Cisco ASA Security Appliance You Should Know
VLAN Sub-Interfaces on Cisco ASA 5500 Firewall Configuration
How to Configure Cisco ASA 5505 Firewall?