Cisco ASA - Configure External Access to a Server

Below are examples that use a specific object naming scheme -- designed for clarity -- as clear as is feasible in ASA 8.3+

Full Static NAT outside:2.2.2.2 <-> inside:192.168.0.100 with ACL for ASA 8.3+

! Define network object for the host
! Configure NAT behavior here but will appear further down if doing a sh run

object network hst-192.168.0.100
 host 192.168.0.100 
 description SRV01 LAN IP
 nat (inside,outside) static 2.2.2.2

! Define an object-group for services to be permitted in ACL

object-group service svcgrp-192.168.0.100-tcp tcp
 description SRV01 Services
 port-object eq 3389

! Put it all together - remember un-nat comes before ACL check
! Use real IP's in ACL's used in access-group -- even on outside

access-list outside_access_in extended permit tcp any object hst-192.168.0.100 object-group svcgrp-192.168.0.100-tcp
access-group outside_access_in in interface outside

For Static PAT on the ASA's outside interface with ACL.

! Define network object for the host

object network hst-192.168.0.100
 host 192.168.0.100 
 description SRV01 LAN IP

! Create network object specific for the static PAT
! Kind of ridiculous with a lot of static PAT's but the ASA 8.3+ code is not
! geared for a lot of static PAT.

object network hst-192.168.0.100-tcp3389
 host 192.168.0.100
 description SRV01 PAT TCP/3389
 nat (inside,outside) static interface service tcp 3389 3389

! Define an object-group for services to be permitted in ACL

object-group service svcgrp-192.168.0.100-tcp tcp
 description SRV01 Services
 port-object eq 3389

! Put it all together - remember un-nat comes before ACL check
! Use real IP's in ACL's used in access-group -- even on outside

access-list outside_access_in extended permit tcp any object hst-192.168.0.100 object-group svcgrp-192.168.0.100-tcp
access-group outside_access_in in interface outside