When configuring static NAT on an ASA think about it from the point of view of a “real IP” and a “mapped IP”.
The “real” IP is the IP address that is physically configured on a host (such as a server). Typically this will be on the inside interface of the firewall and assigned a private IP address.
The “mapped” IP is the IP address you want the host to appear to be. Typically this is on the outside interface and assigned a public IP.
Static NAT has a 1:1 relationship between the real IP and the mapped IP. Any traffic destinated for the mapped IP will be translated to the real IP.
Note however that it is only the source address that is translated. For example, a server with a real address of 10.1.1.200 may want to ping 8.8.8.8, as the packet traverses the firewall only the source IP of 10.1.1.200 is translated to the mapped address. The destination of 8.8.8.8 remains unchanged.
Configuring Static NAT
The easiest way to configure static NAT is to first configure an object for the mapped IP, then configure an object for the real IP. Then, when still in the object configuration, configure NAT:
asa1(config)# object network mapped-host-object-name asa1(config-network-object)# host mapped-host-ip asa1(config)# object network real-host-object-name asa1(config-network-object)# host real-host-ip asa1(config-network-object)# nat (real-int,mapped-int) static mapped-host-object-name
If we consider the mapped IP to be 192.168.0.100 on the outside interface and the real IP to be 10.1.1.100 on the inside interface then this would be the configuration:
asa1(config)# object network host1-outside asa1(config-network-object)# host 192.168.0.100 asa1(config-network-object)# description ouside mapped IP for host1 asa1(config)# object network host1-inside asa1(config-network-object)# host 10.1.1.100 asa1(config-network-object)# description inside real IP for host1 home-asa/act(config-network-object)# nat (inside,outside) static host1-outside
The Traceroute Blog 