Figure 31-1 – Cisco ASA 5505 User Manual

31-25

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 31 Configuring Twice NAT

Configuration Examples for Twice NAT

Figure 31-1

Twice NAT with Different Destination Addresses

Step 1

Add a network object for the inside network:

hostname(config)# object network myInsideNetwork

hostname(config-network-object)# subnet 10.1.2.0 255.255.255.0

Step 2

Add a network object for the DMZ network 1:

hostname(config)# object network DMZnetwork1

hostname(config-network-object)# subnet 209.165.201.0 255.255.255.224

Step 3

Add a network object for the PAT address:

hostname(config)# object network PATaddress1

hostname(config-network-object)# host 209.165.202.129

Step 4

Configure the first twice NAT rule:

hostname(config)# nat (inside,dmz) source dynamic myInsideNetwork PATaddress1 destination

static DMZnetwork1 DMZnetwork1

Because you do not want to translate the destination address, you need to configure identity NAT for it
by specifying the same address for the real and mapped destination addresses.

By default, the NAT rule is added to the end of section 1 of the NAT table, See the

“Configuring Dynamic

PAT (Hide)” section on page 31-8

for more information about specifying the section and line number for

the NAT rule.

Step 5

Add a network object for the DMZ network 2:

hostname(config)# object network DMZnetwork2

hostname(config-network-object)# subnet 209.165.200.224 255.255.255.224

Step 6

Add a network object for the PAT address:

hostname(config)# object network PATaddress2

Server 1

209.165.201.11

Server 2

209.165.200.225

DMZ

Inside

10.1.2.27

10.1.2.0/24

130039

209.165.201.0/27

209.165.200.224/27

Translation

209.165.202.129

10.1.2.27

Translation

209.165.202.130

10.1.2.27

Packet

Dest. Address:

209.165.201.11

Packet

Dest. Address:

209.165.200.225