Examples

If we wanted to access our Webserver via the outside interface (example access to a DMZ PC via a public IP)

static (dmz,outside) [NAT_IP] [Real_IP]

If we want to access a internal host via the dmz interface (example access a internal host from a DMZ server)

static (inside,dmz) [NAT_IP] [Real_IP]

Below is an example of static NAT for FTP when using the outside interface with a DHCP address assigned to it.

static (dmz,outside) tcp interface ftp 172.16.1.50 ftp netmask 255.255.255.255
static (dmz,outside) tcp interface ftp-data 172.16.1.50 ftp-data netmask 255.255.255.255

NAT Control

When going from a lower security level to a higher we need 2 things, a Static NAT and a permit on a ACL entry.

Note : We only need a static NAT when nat control has been enabled. This can be checked by running the command sh run nat-control. This is enabled by default. To disable run no nat-control.