28-5
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 28 Configuring Twice NAT
Configuring Twice NAT
You can also create a new named object or group from the Browse Original Destination Address
dialog box and use this object or group as the real destination address.
Although the main feature of twice NAT is the inclusion of the destination IP address, the destination
address is optional. If you do specify the destination address, you can configure static translation for
that address or just use identity NAT for it. You might want to configure twice NAT without a
destination address to take advantage of some of the other qualities of twice NAT, including the use
of network object groups for real addresses, or manually ordering of rules. For more information,
see the “Main Differences Between Network Object NAT and Twice NAT” section on page 26-15.
Step 4 (Optional) Identify the original packet port (the mapped destination port). For the Match Criteria:
Original Packet > Service, click the browse button and choose an existing TCP or UDP service object
from the Browse Original Service dialog box.
You can also create a new service object from the Browse Original Service dialog box and use this object
as the real destination port.
Dynamic NAT does not support port translation. However, because the destination translation is always
static, you can perform port translation for the destination port. A service object can contain both a
source and destination port, but only the destination port is used in this case. If you specify the source
port, it will be ignored. NAT only supports TCP or UDP. When translating a port, be sure the protocols
in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can
use the same service object for both the real and mapped ports. The “not equal” (!=) operator is not
supported.
Step 5 Choose Dynamic from the Match Criteria: Translated Packet > Source NAT Type drop-down list.
This setting only applies to the source address; the destination translation is always static.
Figure 28-5 Setting the NAT Type
Step 6
Identify the translated packet addresses (the mapped source address and the real destination address).
a. For the Match Criteria: Translated Packet > Source Address, click the browse button and choose
an existing network object or group from the Browse Translated Source Address dialog box.
You can also create a new named object or group from the Browse Translated Source Address dialog
box and use this object or group as the mapped source address.
For dynamic NAT, you typically configure a larger group of source addresses to be mapped to a
smaller group.
Note You can share this mapped object across different dynamic NAT rules, if desired.
b. For the Match Criteria: Translated Packet > Destination Address, click the browse button and
choose an existing network object, group, or interface from the Browse Translated Destination
Address dialog box.
You can also create a new named object or group from the Browse Translated Destination Address
dialog box and use this object or group as the mapped destination address.
For identity NAT for the destination address, simply use the same object or group for both the real
and mapped addresses.
To Next Page
Loading...
Need help?
General
