Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
34-13
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 34 Configuring Twice NAT (ASA 8.3 and Later)
Configuring Twice NAT
a. For the Match Criteria: Original Packet > Source Address, click the browse button and choose an
existing network object or group or create a new object or group from the Browse Original Source
Address dialog box. The default is any.
b. (Optional) For the Match Criteria: Original Packet > Destination Address, click the browse button
and choose an existing network object or group or create a new object or group from the Browse
Original Destination Address dialog box.
Although the main feature of twice NAT is the inclusion of the destination IP address, the destination
address is optional. If you do specify the destination address, you can configure static translation for
that address or just use identity NAT for it. You might want to configure twice NAT without a
destination address to take advantage of some of the other qualities of twice NAT, including the use
of network object groups for real addresses, or manually ordering of rules. For more information,
see the “Main Differences Between Network Object NAT and Twice NAT” section on page 32-16.
Step 4 (Optional) Identify the original packet port (the mapped destination port). For the Match Criteria:
Original Packet > Service, click the browse button and choose an existing TCP or UDP service object
or create a new object from the Browse Original Service dialog box.
Dynamic PAT does not support additional port translation. However, because the destination translation
is always static, you can perform port translation for the destination port. A service object can contain
both a source and destination port, but only the destination port is used in this case. If you specify the
source port, it will be ignored. NAT only supports TCP or UDP. When translating a port, be sure the
protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT,
you can use the same service object for both the real and mapped ports. The “not equal” (!=) operator is
not supported.
Real: 192.168.1.1
Mapped: 10.1.1.1
Real: 10.1.2.2
Mapped: 192.168.2.2
NAT
Source Destination
Outside
Inside
10.1.2.2 ---> 10.1.1.1 192.168.2.2 ---> 192.168.1.1
Original Packet Translated Packet