31-15
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter31 Configuring Twice NAT
Configuring Twice NAT
Configuring Static NAT or Static NAT-with-Port-Translation
This section describes how to configure a static NAT rule using twice NAT. For more information about
static NAT, see the “Static NAT” section on page29 -3.
Detailed Steps
Command Purpose
Step1 Network object:
object network obj_name
{host ip_address | subnet
subnet_address netmask | range
ip_address_1 ip_address_2}
Network object group:
object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}
Example:
hostname(config)# object network MyInsNet
hostname(config-network-object)# subnet
10.1.1.0 255.255.255.0
Configure the real source addresses.
You can configure either a network object or a network object
group. For more information, see the “Configuring Objects”
section on page 13-3.
Step2 Network object:
object network obj_name
{host ip_address | subnet
subnet_address netmask | range
ip_address_1 ip_address_2}
Network object group:
object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}
Example:
hostname(config)# object network
MyInsNet_mapped
hostname(config-network-object)# subnet
192.168.1.0 255.255.255.0
Configure the mapped source addresses.
You can configure either a network object or a network object
group. For static NAT, the mapping is typically one-to-one, so the
real addresses have the same quantity as the mapped addresses.
You can, however, have different quantities if desired. For more
information, see the “Static NAT” section on page29-3.
For static interface NAT with port translation (routed mode only),
you can skip this step and specify the interface keyword instead
of a network object/group for the mapped address. For more
information, see the “Static Interface NAT with Port Translation”
section on page 29-5.
See the “Guidelines and Limitations” section on page31-2 for
information about disallowed mapped IP addresses.