Cisco ASA - Configure External Access to a Server
Below are examples that use a specific object naming scheme -- designed for clarity -- as clear as is feasible in ASA 8.3+
Full Static NAT outside:2.2.2.2 <-> inside:192.168.0.100 with ACL for ASA 8.3+
! Define network object for the host
! Configure NAT behavior here but will appear further down if doing a sh run
object network hst-192.168.0.100
host 192.168.0.100
description SRV01 LAN IP
nat (inside,outside) static 2.2.2.2
! Define an object-group for services to be permitted in ACL
object-group service svcgrp-192.168.0.100-tcp tcp
description SRV01 Services
port-object eq 3389
! Put it all together - remember un-nat comes before ACL check
! Use real IP's in ACL's used in access-group -- even on outside
access-list outside_access_in extended permit tcp any object hst-192.168.0.100 object-group svcgrp-192.168.0.100-tcp
access-group outside_access_in in interface outside
For Static PAT on the ASA's outside interface with ACL.
! Define network object for the host
object network hst-192.168.0.100
host 192.168.0.100
description SRV01 LAN IP
! Create network object specific for the static PAT
! Kind of ridiculous with a lot of static PAT's but the ASA 8.3+ code is not
! geared for a lot of static PAT.
object network hst-192.168.0.100-tcp3389
host 192.168.0.100
description SRV01 PAT TCP/3389
nat (inside,outside) static interface service tcp 3389 3389
! Define an object-group for services to be permitted in ACL
object-group service svcgrp-192.168.0.100-tcp tcp
description SRV01 Services
port-object eq 3389
! Put it all together - remember un-nat comes before ACL check
! Use real IP's in ACL's used in access-group -- even on outside
access-list outside_access_in extended permit tcp any object hst-192.168.0.100 object-group svcgrp-192.168.0.100-tcp
access-group outside_access_in in interface outside