One-To-Many Static Nat - Cisco ASA Series Configuration Manual

Chapter 9 Network Address Translation (NAT)
Figure 9-7
209.165.201.3:80
Static NAT with Port Translation for Non-Standard Ports
You can also use static NAT with port translation to translate a well-known port to a non-standard port
or vice versa. For example, if inside web servers use port 8080, you can allow outside users to connect
to port 80, and then undo translation to the original port 8080. Similarly, to provide extra security, you
can tell web users to connect to non-standard port 6785, and then undo translation to port 80.
Static Interface NAT with Port Translation
You can configure static NAT to map a real address to an interface address/port combination. For
example, if you want to redirect Telnet access for the ASA outside interface to an inside host, then you
can map the inside host IP address/port 23 to the ASA interface address/port 23. (Note that although
Telnet to the ASA is not allowed to the lowest security interface, static NAT with interface port
translation redirects the Telnet session instead of denying it).

One-to-Many Static NAT

Typically, you configure static NAT with a one-to-one mapping. However, in some cases, you might want
to configure a single real address to several mapped addresses (one-to-many). When you configure
one-to-many static NAT, when the real host initiates traffic, it always uses the first mapped address.
However, for traffic initiated to the host, you can initiate traffic to any of the mapped addresses, and they
will be untranslated to the single real address.
Static NAT with Port Translation
Undo Translation
209.165.201.3:21
Undo Translation
10.1.2.28
Host
Outside
10.1.2.27
209.165.201.3:25
Inside
FTP server
10.1.2.27
HTTP server
10.1.2.28
Cisco ASA Series Firewall CLI Configuration Guide
Undo Translation
10.1.2.29
SMTP server
10.1.2.29
Static NAT
9-29