You are halfway there :)
In general, NATing firewalls have two basic necessities for moving traffic between interfaces. In the strictest of senses there are many more, but the two below are the ones encountered most often. The first is the access control and the second is a translation rule. This paradigm is true for most firewalls -- even if they don't expose it in a limited GUI (SOHO/consumer firewalls/routers) -- the GUI may be doing it for you underneath. On the CLI, however, you must take care to configure access control and the translation rules.
If your example you have configured the access control side of things with an access-list. The OUTSIDE_IN access-list is bound to the outside interface in the IN direction.
Knowing that, your access-list is telling the ASA to permit TCP traffic recieved on the outside interface from any source IP/TCP port combination destined for 208.x on TCP/80, 208.x on TCP/678, and 208.x on TCP/789.
The next step (or first step depending on how you like to do things) is to create a translation rule so the traffic gets translated -- after passing an access control check of course.
In ASA 8.2 and earlier this is accomplished with the static command. Major changes to NAT were implemented in ASA 8.3 and later -- so the following does not apply to 8.3 and up.
Assumptions:
- 208.1.1.1/TCP/80 <-> 192.168.1.100/TCP/80
- 208.1.1.1/TCP/678 <-> 192.168.1.101/TCP/678
- 208.1.1.1/TCP/789 <-> 192.168.1.102/TCP/789
- 192.168.1.0/24 on the inside interface
I have filled in the remaining octets of the external IP address with 1's to show clearly that we will be Port Address Translating (PAT), specifically static PAT, on a single external IP address. This is opposed to the more traditional static NAT where each internal IP would have its own unique external IP.
static (inside,outside) tcp 208.1.1.1 80 192.168.1.100 80 netmask 255.255.255.255
static (inside,outside) tcp 208.1.1.1 678 192.168.1.101 678 netmask 255.255.255.255
static (inside,outside) tcp 208.1.1.1 789 192.168.1.102 789 netmask 255.255.255.255
In general static PAT should be avoided as it is the ugliest type of NAT from both a management and technical standpoint. If you need to expose many internal servers to the Internet, the cleanest way to make it happen is with traditional static NAT -- where each server would have its own external IP.
Ref:
ASA 7.2 Command Reference
ASA 7.2 Command Reference static Command
-Weaver
I was advised by the ntop community to update to the SVN version of ntop, and this did indeed start populating the graphs without configuring things differently.
However, I have found that after collecting data for a few weeks, I am not seeing useful results. I have read that there are certain limitations with the netflow data from ASAs which may result in this. I think for better analysis I am probably looking at a different collection mechanism for data, and the lack of current and clear documentation for NTOP means I am probably looking elsewhere for collating and interpreting the data too. Back to the drawing board!
Best Answer
It's possible on the 5505 model, but not the 5510 or higher, since don't have the integrated switch:
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
(See the "integrated ports" section)
To set it on the 5505:
Where eth0/0 is your IDS port and eth0/1 is the interface you want to monitor.
To monitor an interface with the 5510 or higher, you'll need a separate switch with SPAN capabilities.