5-22
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later)
Configuring Twice NAT
For static NAT, the mapping is typically one-to-one, so the real addresses have the same quantity as
the mapped addresses. You can, however, have different quantities if desired.
For static interface NAT with port translation, you can specify the interface instead of a network
object/group for the mapped address. If you want to use the IPv6 address of the interface, check the
Use IPv6 for interface PAT check box.
For more information, see the “Static Interface NAT with Port Translation” section on page 3-6. See
the “Guidelines and Limitations” section on page 5-2 for information about disallowed mapped IP
addresses.
b. For the Match Criteria: Translated Packet > Destination Address, click the browse button and choose
an existing network object, group, or interface or create a new object or group from the Browse
Translated Destination Address dialog box.
For static NAT, the mapping is typically one-to-one, so the real addresses have the same quantity as
the mapped addresses. You can, however, have different quantities if desired.
For static interface NAT with port translation, you can specify the interface instead of a network
object/group for the mapped address. For more information, see the “Static Interface NAT with Port
Translation” section on page 3-6. See the “Guidelines and Limitations” section on page 5-2 for
information about disallowed mapped IP addresses.
Step 7 (Optional) Identify the translated packet source or destination port (the mapped source port or the real
destination port). For the Match Criteria: Translated Packet > Service, click the browse button and
choose an existing TCP or UDP service object or create a new object from the Browse Translated Service
dialog box.
A service object can contain both a source and destination port. You should specify either the source or
the destination port for both real and mapped service objects. You should only specify both the source
and destination ports if your application uses a fixed source port (such as some DNS servers); but fixed
source ports are rare. In the rare case where you specify both the source and destination ports in the
object, the original packet service object contains the real source port/mapped destination port; the
translated packet service object contains the mapped source port/real destination port. NAT only
supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service
objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for
both the real and mapped ports. The “not equal” (!=) operator is not supported.