Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505

34-6

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter34 Configuring Twice NAT (ASA 8.3 and Later)

Configuring Twice NAT

By default in routed mode, both interfaces are set to --Any--. In transparent firewall mode, you must set

specific interfaces.

a. From the Match Criteria: Original Packet > Source Interface drop-down list, choose the source

interface.

b. From the Match Criteria: Original Packet > Destination Interface drop-down list, choose the

destination interface.

Step3 Identify the original packet addresses; namely, the packet addresses as they appear on the source

interface network (the real source address and the mapped destination address). See the following figure

for an example of the original packet vs. the translated packet.

a. For the Match Criteria: Original Packet > Source Address, click the browse button and choose an

existing network object or group or create a new object or group from the Browse Original Source

Address dialog box. The default is any.

b. (Optional) For the Match Criteria: Original Packet > Destination Address, click the browse button

and choose an existing network object or group or create a new object or group from the Browse

Original Destination Address dialog box.

Although the main feature of twice NAT is the inclusion of the destination IP address, the destination

address is optional. If you do specify the destination address, you can configure static translation for

that address or just use identity NAT for it. You might want to configure twice NAT without a

destination address to take advantage of some of the other qualities of twice NAT, including the use

of network object groups for real addresses, or manually ordering of rules. For more information,

see the “Main Differences Between Network Object NAT and Twice NAT” section on page32-16.

Step4 (Optional) Identify the original packet port (the mapped destination port). For the Match Criteria:

Original Packet > Service, click the browse button and choose an existing TCP or UDP service object

or create a new object from the Browse Original Service dialog box.

Dynamic NAT does not support port translation. However, because the destination translation is always

static, you can perform port translation for the destination port. A service object can contain both a

source and destination port, but only the destination port is used in this case. If you specify the source

port, it will be ignored. NAT only supports TCP or UDP. When translating a port, be sure the protocols

Real: 192.168.1.1

Mapped: 10.1.1.1

Real: 10.1.2.2

Mapped: 192.168.2.2

NAT

Source Destination

Outside

Inside

10.1.2.2 ---> 10.1.1.1 192.168.2.2 ---> 192.168.1.1

Original Packet Translated Packet

Cisco Systems - page 750