Cisco ASA 5500 Series Configuration Guide using ASDM, 6.3
Configuring Twice NAT (ASA 8.3 and Later)
Downloads: This chapterpdf (PDF - 1.21MB) The complete bookPDF (PDF - 22.37MB) | Feedback

Configuring Twice NAT (ASA 8.3 and Later)

Table Of Contents

Configuring Twice NAT (ASA 8.3 and Later)

Information About Twice NAT

Licensing Requirements for Twice NAT

Prerequisites for Twice NAT

Guidelines and Limitations

Configuring Twice NAT

Configuring Dynamic NAT

Configuring Dynamic PAT (Hide)

Configuring Static NAT or Static NAT with Port Translation

Configuring Identity NAT

Configuration Examples for Twice NAT

Different Translation Depending on the Destination (Dynamic PAT)

Different Translation Depending on the Destination Address and Port (Dynamic PAT)

Feature History for Twice NAT


Configuring Twice NAT (ASA 8.3 and Later)


Twice NAT lets you identify both the source and destination address in a single rule. This chapter shows you how to configure twice NAT and includes the following sections:

Information About Twice NAT

Licensing Requirements for Twice NAT

Prerequisites for Twice NAT

Guidelines and Limitations

Configuring Twice NAT

Configuration Examples for Twice NAT

Feature History for Twice NAT


Note For detailed information about how NAT works, see Chapter 26 "Information About NAT (ASA 8.3 and Later)."


Information About Twice NAT

Twice NAT lets you identify both the source and destination address in a single rule. Specifying both the source and destination addresses lets you specify that a source address should be translated to A when going to destination X, but be translated to B when going to destination Y, for example.


Note For static NAT, the rule is bidirectional, so be aware that "source" and "destination" are used in commands and descriptions throughout this guide even though a given connection might originate at the "destination" address. For example, if you configure static NAT with port address translation, and specify the source address as a Telnet server, and you want all traffic going to that Telnet server to have the port translated from 2323 to 23, then in the command, you must specify the source ports to be translated (real: 23, mapped: 2323). You specify the source ports because you specified the Telnet server address as the source address.


The destination address is optional. If you specify the destination address, you can either map it to itself (identity NAT), or you can map it to a different address. The destination mapping is always a static mapping.

Twice NAT also lets you use service objects for static NAT with port translation; network object NAT only accepts inline definition.

For detailed information about the differences between twice NAT and network object NAT, see the "How NAT is Implemented" section.

Twice NAT rules are added to section 1 of the NAT rules table, or if specified, section 3. For more information about NAT ordering, see the "NAT Rule Order" section.

Licensing Requirements for Twice NAT

Model
License Requirement

All models

Base License.


Prerequisites for Twice NAT

For both the real and mapped addresses, configure network objects or network object groups. Network object groups are particularly useful for creating a mapped address pool with discontinuous IP address ranges or multiple hosts or subnets. To create a network object or group, see the "Configuring Network Objects and Groups" section.

For static NAT with port translation, configure TCP or UDP service objects. To create a service object, see the "Configuring Service Objects and Service Groups" section.

For specific guidelines for objects and groups, see the configuration section for the NAT type you want to configure. See also the "Guidelines and Limitations" section.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported in routed and transparent firewall mode.

In transparent mode, you must specify the real and mapped interfaces; you cannot use --Any--.

In transparent mode, you cannot configure interface PAT, because the transparent mode interfaces do not have IP addresses. You also cannot use the management IP address as a mapped address.

IPv6 Guidelines

Does not support IPv6.

Additional Guidelines

If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections that use translations.


Note If you remove a dynamic NAT or PAT rule, and then add a new rule with mapped addresses that overlap the addresses in the removed rule, then the new rule will not be used until all connections associated with the removed rule time out or are cleared using the clear xlate command. This safeguard ensures that the same address is not assigned to multiple hosts.


Objects and object groups used in NAT cannot be undefined; they must include IP addresses.

The mapped IP address pool cannot include:

The mapped interface IP address. If you specify --Any-- interface for the rule, then all interface IP addresses are disallowed. For interface PAT (routed mode only), use the interface name instead of the IP address.

(Transparent mode) The management IP address.

(Dynamic NAT) The standby interface IP address when VPN is enabled.

Existing VPN pool addresses.

Configuring Twice NAT

This section describes how to configure twice NAT to create rules for dynamic NAT, dynamic PAT, static NAT, static NAT with port translation, and identity NAT. This section includes the following topics:

Configuring Dynamic NAT

Configuring Dynamic PAT (Hide)

Configuring Static NAT or Static NAT with Port Translation

Configuring Identity NAT

Configuring Dynamic NAT

This section describes how to configure a dynamic NAT rule using twice NAT. For more information about dynamic NAT, see the "Dynamic NAT" section.

Detailed Steps

To configure dynamic NAT, perform the following steps:


Step 1 Choose Configuration > Firewall > NAT Rules, and then click Add.

If you want to add this rule to section 3 after the network object rules, then click the down arrow next to Add, and choose Add NAT Rule After Network Object NAT Rules.

Figure 28-1 Adding a NAT Rule

s

The Add NAT Rule dialog box appears.

Figure 28-2 Add NAT Rule Dialog Box

Step 2 Set the source and destination interfaces.

By default, both interfaces are set to --Any--.

a. From the Match Criteria: Original Packet > Source Interface drop-down list, choose the source interface.

b. From the Match Criteria: Original Packet > Destination Interface drop-down list, choose the destination interface.

Figure 28-3 Setting the Interfaces

Step 3 Identify the original packet addresses (the real source address and the mapped destination address).

a. For the Match Criteria: Original Packet > Source Address, click the browse button and choose an existing network object or group from the Browse Original Source Address dialog box. The default is any.

Figure 28-4 Browse Dialog Box

You can also create a new named object or group from the Browse Original Source Address dialog box and use this object or group as the real source address.

b. (Optional) For the Match Criteria: Original Packet > Destination Address, click the browse button and choose an existing network object or group from the Browse Original Destination Address dialog box.

You can also create a new named object or group from the Browse Original Destination Address dialog box and use this object or group as the real destination address.

Although the main feature of twice NAT is the inclusion of the destination IP address, the destination address is optional. If you do specify the destination address, you can configure static translation for that address or just use identity NAT for it. You might want to configure twice NAT without a destination address to take advantage of some of the other qualities of twice NAT, including the use of network object groups for real addresses, or manually ordering of rules. For more information, see the "Main Differences Between Network Object NAT and Twice NAT" section.

Step 4 (Optional) Identify the original packet port (the mapped destination port). For the Match Criteria: Original Packet > Service, click the browse button and choose an existing TCP or UDP service object from the Browse Original Service dialog box.

You can also create a new service object from the Browse Original Service dialog box and use this object as the real destination port.

Dynamic NAT does not support port translation. However, because the destination translation is always static, you can perform port translation for the destination port. A service object can contain both a source and destination port, but only the destination port is used in this case. If you specify the source port, it will be ignored. NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports. The "not equal" (!=) operator is not supported.

Step 5 Choose Dynamic from the Match Criteria: Translated Packet > Source NAT Type drop-down list.

This setting only applies to the source address; the destination translation is always static.

Figure 28-5 Setting the NAT Type

Step 6 Identify the translated packet addresses (the mapped source address and the real destination address).

a. For the Match Criteria: Translated Packet > Source Address, click the browse button and choose an existing network object or group from the Browse Translated Source Address dialog box.

You can also create a new named object or group from the Browse Translated Source Address dialog box and use this object or group as the mapped source address.

For dynamic NAT, you typically configure a larger group of source addresses to be mapped to a smaller group.


Note You can share this mapped object across different dynamic NAT rules, if desired.


b. For the Match Criteria: Translated Packet > Destination Address, click the browse button and choose an existing network object, group, or interface from the Browse Translated Destination Address dialog box.

You can also create a new named object or group from the Browse Translated Destination Address dialog box and use this object or group as the mapped destination address.

For identity NAT for the destination address, simply use the same object or group for both the real and mapped addresses.

If you want to translate the destination address, then the static mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired. For more information, see the "Static NAT" section. See the "Guidelines and Limitations" section for information about disallowed mapped IP addresses.

For static interface NAT with port translation only, choose an interface. If you specify an interface, be sure to also configure a a service translation. For this option, you must configure a specific interface for the Source Interface. See the "Static Interface NAT with Port Translation" section for more information.

Figure 28-6 Browse Dialog Box

Step 7 (Optional) Identify the translated packet port (the real destination port). For the Match Criteria: Translated Packet > Service, click the browse button and choose an existing TCP or UDP service object from the Browse Translated Service dialog box.

You can also create a new service object from the Browse Translated Service dialog box and use this object as the mapped destination port.

Dynamic NAT does not support port translation. However, because the destination translation is always static, you can perform port translation for the destination port. A service object can contain both a source and destination port, but only the destination port is used in this case. If you specify the source port, it will be ignored. NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports. The "not equal" (!=) operator is not supported.

Step 8 (Optional) To use the interface IP address as a backup method if the other mapped addresses are already allocated, check the Fall through to interface PAT check box.

The destination interface IP address is used. This option is only available if you configure a specific Destination Interface.

Figure 28-7 Fall Through to Interface PAT

Step 9 (Optional) Configure NAT options in the Options area.

Figure 28-8 NAT Options

a. Check the Enable rule check box to enable this NAT rule. The rule is enabled by default.

b. (For a source-only rule) To rewrite the DNS A record in DNS replies, check the Translate DNS replies that match this rule check box.

Be sure DNS inspection is enabled (it is enabled by default). You cannot configure DNS modification if you configure a destination address. See the "DNS and NAT" section for more information.

c. In the Description field, add a description about the rule up to 200 characters in length.

Step 10 Click OK.


Configuring Dynamic PAT (Hide)

This section describes how to configure a dynamic PAT (hide) rule using twice NAT. For more information about dynamic PAT, see the "Dynamic PAT" section.

Detailed Steps

To configure dynamic PAT, perform the following steps:


Step 1 Choose Configuration > Firewall > NAT Rules, and then click Add.

If you want to add this rule to section 3 after the network object rules, then click the down arrow next to Add, and choose Add NAT Rule After Network Object NAT Rules.

Figure 28-9 Adding a NAT Rule

The Add NAT Rule dialog box appears.

Figure 28-10 Add NAT Rule Dialog Box

Step 2 Set the source and destination interfaces.

By default, both interfaces are set to --Any--.

a. From the Match Criteria: Original Packet > Source Interface drop-down list, choose the source interface.

b. From the Match Criteria: Original Packet > Destination Interface drop-down list, choose the destination interface.

Figure 28-11 Setting the Interfaces

Step 3 Identify the original packet addresses (the real source address and the mapped destination address).

a. For the Match Criteria: Original Packet > Source Address, click the browse button and choose an existing network object or group from the Browse Original Source Address dialog box. The default is any.

Figure 28-12 Browse Dialog Box

You can also create a new named object or group from the Browse Original Source Address dialog box and use this object or group as the real source address.

b. (Optional) For the Match Criteria: Original Packet > Destination Address, click the browse button and choose an existing network object or group from the Browse Original Destination Address dialog box.

You can also create a new named object or group from the Browse Original Destination Address dialog box and use this object or group as the real destination address.

Although the main feature of twice NAT is the inclusion of the destination IP address, the destination address is optional. If you do specify the destination address, you can configure static translation for that address or just use identity NAT for it. You might want to configure twice NAT without a destination address to take advantage of some of the other qualities of twice NAT, including the use of network object groups for real addresses, or manually ordering of rules. For more information, see the "Main Differences Between Network Object NAT and Twice NAT" section.

Step 4 (Optional) Identify the original packet port (the mapped destination port). For the Match Criteria: Original Packet > Service, click the browse button and choose an existing TCP or UDP service object from the Browse Original Service dialog box.

You can also create a new service object from the Browse Original Service dialog box and use this object as the real destination port.

Dynamic PAT does not support additional port translation. However, because the destination translation is always static, you can perform port translation for the destination port. A service object can contain both a source and destination port, but only the destination port is used in this case. If you specify the source port, it will be ignored. NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports. The "not equal" (!=) operator is not supported.

Step 5 Choose Dynamic PAT (Hide) from the Match Criteria: Translated Packet > Source NAT Type drop-down list.

This setting only applies to the source address; the destination translation is always static.

Figure 28-13 Setting the NAT Type

Step 6 Identify the translated packet addresses (the mapped source address and the real destination address).

a. For the Match Criteria: Translated Packet > Source Address, click the browse button and choose an existing network object or interface from the Browse Translated Source Address dialog box.

Figure 28-14 Browse Dialog Box

You can also create a new named object (host) from the Browse Translated Source Address dialog box and use this object as the mapped source address.

For dynamic PAT, you configure a group of addresses to be mapped to a single address.


Note You can share this mapped object across different dynamic PAT rules, if desired.


b. For the Match Criteria: Translated Packet > Destination Address, click the browse button and choose an existing network object or group from the Browse Translated Destination Address dialog box.

You can also create a new named object or group from the Browse Translated Destination Address dialog box and use this object or group as the mapped destination address.

For identity NAT for the destination address, simply use the same object or group for both the real and mapped addresses.

If you want to translate the destination address, then the static mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired. For more information, see the "Static NAT" section. See the "Guidelines and Limitations" section for information about disallowed mapped IP addresses.

For static interface NAT with port translation only, choose an interface. If you specify an interface, be sure to also configure a a service translation. For this option, you must configure a specific interface for the Source Interface. See the "Static Interface NAT with Port Translation" section for more information.

Step 7 (Optional) Identify the translated packet port (the real destination port). For the Match Criteria: Translated Packet > Service, click the browse button and choose an existing TCP or UDP service object from the Browse Translated Service dialog box.

You can also create a new service object from the Browse Translated Service dialog box and use this object as the mapped destination port.

Dynamic PAT does not support additional port translation. However, because the destination translation is always static, you can perform port translation for the destination port. A service object can contain both a source and destination port, but only the destination port is used in this case. If you specify the source port, it will be ignored. NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports. The "not equal" (!=) operator is not supported.

Step 8 (Optional) Configure NAT options in the Options area.

Figure 28-15 NAT Options

a. Check the Enable rule check box to enable this NAT rule. The rule is enabled by default.

b. (For a source-only rule) To rewrite the DNS A record in DNS replies, check the Translate DNS replies that match this rule check box.

Be sure DNS inspection is enabled (it is enabled by default). You cannot configure DNS modification if you configure a destination address. See the "DNS and NAT" section for more information.

c. In the Description field, add a description about the rule up to 200 characters in length.

Step 9 Click OK.


Configuring Static NAT or Static NAT with Port Translation

This section describes how to configure a static NAT rule using twice NAT. For more information about static NAT, see the "Static NAT" section.

Detailed Steps

To configure static NAT, perform the following steps:


Step 1 Choose Configuration > Firewall > NAT Rules, and then click Add.

If you want to add this rule to section 3 after the network object rules, then click the down arrow next to Add, and choose Add NAT Rule After Network Object NAT Rules.

Figure 28-16 Adding a NAT Rule

The Add NAT Rule dialog box appears.

Figure 28-17 Add NAT Rule Dialog Box

Step 2 Set the source and destination interfaces.

By default, both interfaces are set to Any.

a. From the Match Criteria: Original Packet > Source Interface drop-down list, choose the source interface.

b. From the Match Criteria: Original Packet > Destination Interface drop-down list, choose the destination interface.

Figure 28-18 Setting the Interfaces

Step 3 Identify the original packet addresses (the real source address and the mapped destination address).

a. For the Match Criteria: Original Packet > Source Address, click the browse button and choose an existing network object or group from the Browse Original Source Address dialog box. The default is any, but you typically only use this option when also setting the mapped address to any for identity NAT. See the "Configuring Identity NAT" section for more information.

Figure 28-19 Browse Dialog Box

You can also create a new named object or group from the Browse Original Source Address dialog box and use this object or group as the real source address.

b. (Optional) For the Match Criteria: Original Packet > Destination Address, click the browse button and choose an existing network object or group from the Browse Original Destination Address dialog box.

You can also create a new named object or group from the Browse Original Destination Address dialog box and use this object or group as the real destination address.

Although the main feature of twice NAT is the inclusion of the destination IP address, the destination address is optional. If you do specify the destination address, you can configure static translation for that address or just use identity NAT for it. You might want to configure twice NAT without a destination address to take advantage of some of the other qualities of twice NAT, including the use of network object groups for real addresses, or manually ordering of rules. For more information, see the "Main Differences Between Network Object NAT and Twice NAT" section.

Step 4 (Optional) Identify the original packet source or destination port (the real source port or the mapped destination port). For the Match Criteria: Original Packet > Service, click the browse button and choose an existing TCP or UDP service object from the Browse Original Service dialog box.

You can also create a new service object from the Browse Original Service dialog box and use this object as the real port.

A service object can contain both a source and destination port. You should specify either the source or the destination port for both the real and mapped service objects. You should only specify both the source and destination ports if your application uses a fixed source port (such as some DNS servers); but fixed source ports are rare. In the rare case where you specify both the source and destination ports in the object, the original packet service object contains the real source port/mapped destination port; the translated packet service object contains the mapped source port/real destination port. NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports. The "not equal" (!=) operator is not supported.

Step 5 Choose Static from the Match Criteria: Translated Packet > Source NAT Type drop-down list. Static is the default setting.

This setting only applies to the source address; the destination translation is always static.

Figure 28-20 Setting the NAT Type

Step 6 Identify the translated packet addresses (the mapped source address and the real destination address).

a. For the Match Criteria: Translated Packet > Source Address, click the browse button and choose an existing network object or group from the Browse Translated Source Address dialog box.

Figure 28-21 Browse Dialog Box

You can also create a new named object or group from the Browse Translated Source Address dialog box and use this object or group as the mapped source address.

For static NAT, the mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired.

For static interface NAT with port translation, you can specify the interface instead of a network object/group for the mapped address. For more information, see the "Static Interface NAT with Port Translation" section.

See the "Guidelines and Limitations" section for information about disallowed mapped IP addresses.

b. For the Match Criteria: Translated Packet > Destination Address, click the browse button and choose an existing network object, group, or interface from the Browse Translated Destination Address dialog box.

You can also create a new named object or group from the Browse Translated Destination Address dialog box and use this object or group as the mapped destination address.

For static NAT, the mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired.

For static interface NAT with port translation, you can specify the interface instead of a network object/group for the mapped address. For more information, see the "Static Interface NAT with Port Translation" section.

See the "Guidelines and Limitations" section for information about disallowed mapped IP addresses.

Step 7 (Optional) Identify the translated packet source or destination port (the mapped source port or the real destination port). For the Match Criteria: Translated Packet > Service, click the browse button and choose an existing TCP or UDP service object from the Browse Translated Service dialog box.

You can also create a new service object from the Browse Translated Service dialog box and use this object as the mapped port.

A service object can contain both a source and destination port. You should specify either the source or the destination port for both real and mapped service objects. You should only specify both the source and destination ports if your application uses a fixed source port (such as some DNS servers); but fixed source ports are rare. In the rare case where you specify both the source and destination ports in the object, the original packet service object contains the real source port/mapped destination port; the translated packet service object contains the mapped source port/real destination port. NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports. The "not equal" (!=) operator is not supported.

Step 8 (Optional) Configure NAT options in the Options area.

Figure 28-22 NAT Options

a. Check the Enable rule check box to enable this NAT rule. The rule is enabled by default.

b. To rewrite the DNS A record in DNS replies, check the Translate DNS replies that match this rule check box.

Be sure DNS inspection is enabled (it is enabled by default). See the "DNS and NAT" section for more information.

c. To make the rule unidirectional, choose Unidirectional from the Direction drop-down list. The default is Both. Making the rule unidirectional prevents traffic from initiating connections to the real addresses. You might want to use this setting for testing purposes.

d. In the Description field, add a description about the rule up to 200 characters in length.

Step 9 Click OK.


Configuring Identity NAT

This section describes how to configure an identity NAT rule using twice NAT. You configure identity NAT using a static NAT rule where you map an address to itself. For more information about identity NAT, see the "Identity NAT" section.

Detailed Steps

To configure identity NAT, perform the following steps:


Step 1 Choose Configuration > Firewall > NAT Rules, and then click Add.

If you want to add this rule to section 3 after the network object rules, then click the down arrow next to Add, and choose Add NAT Rule After Network Object NAT Rules.

Figure 28-23 Adding a NAT Rule

The Add NAT Rule dialog box appears.

Figure 28-24 Add NAT Rule Dialog Box

Step 2 Set the source and destination interfaces.

By default, both interfaces are set to --Any--.

a. From the Match Criteria: Original Packet > Source Interface drop-down list, choose the source interface.

b. From the Match Criteria: Original Packet > Destination Interface drop-down list, choose the destination interface.

Figure 28-25 Setting the Interfaces

Step 3 Identify the original packet addresses (the real source address and the mapped destination address).

a. For the Match Criteria: Original Packet > Source Address, click the browse button and choose an existing network object or group from the Browse Original Source Address dialog box. The default is any, only use this option when also setting the mapped address to any.

Figure 28-26 Browse Dialog Box

You can also create a new named object or group from the Browse Original Source Address dialog box and use this object or group as the real source address.

b. (Optional) For the Match Criteria: Original Packet > Destination Address, click the browse button and choose an existing network object or group from the Browse Original Destination Address dialog box.

You can also create a new named object or group from the Browse Original Destination Address dialog box and use this object or group as the real destination address.

Although the main feature of twice NAT is the inclusion of the destination IP address, the destination address is optional. If you do specify the destination address, you can configure static translation for that address or just use identity NAT for it. You might want to configure twice NAT without a destination address to take advantage of some of the other qualities of twice NAT, including the use of network object groups for real addresses, or manually ordering of rules. For more information, see the "Main Differences Between Network Object NAT and Twice NAT" section.

Step 4 (Optional) Identify the original packet source or destination port (the real source port or the mapped destination port). For the Match Criteria: Original Packet > Service, click the browse button and choose an existing TCP or UDP service object from the Browse Original Service dialog box.

You can also create a new service object from the Browse Original Service dialog box and use this object as the real destination port.

A service object can contain both a source and destination port. You should specify either the source or the destination port for both service objects. You should only specify both the source and destination ports if your application uses a fixed source port (such as some DNS servers); but fixed source ports are rare. In the rare case where you specify both the source and destination ports in the object, the original packet service object contains the real source port/mapped destination port; the translated packet service object contains the mapped source port/real destination port. NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports. The "not equal" (!=) operator is not supported.

Step 5 Choose Static from the Match Criteria: Translated Packet > Source NAT Type drop-down list. Static is the default setting.

This setting only applies to the source address; the destination translation is always static.

Figure 28-27 Setting the NAT Type

Step 6 Identify the translated packet addresses (the mapped source address and the real destination address).

a. For the Match Criteria: Translated Packet > Source Address, click the browse button and choose the same network object or group from the Browse Translated Source Address dialog box that you chose for the real source address. Use any if you specified any for the real address.

b. For the Match Criteria: Translated Packet > Destination Address, click the browse button and choose an existing network object, group, or interface from the Browse Translated Destination Address dialog box.

You can also create a new named object or group from the Browse Translated Destination Address dialog box and use this object or group as the mapped destination address.

For identity NAT for the destination address, simply use the same object or group for both the real and mapped addresses.

If you want to translate the destination address, then the static mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired. For more information, see the "Static NAT" section. See the "Guidelines and Limitations" section for information about disallowed mapped IP addresses.

For static interface NAT with port translation only, choose an interface. If you specify an interface, be sure to also configure a a service translation. For more information, see the "Static Interface NAT with Port Translation" section.

Step 7 (Optional) Identify the translated packet source or destination port (the mapped source port or the real destination port). For the Match Criteria: Translated Packet > Service, click the browse button and choose an existing TCP or UDP service object from the Browse Translated Service dialog box.

You can also create a new service object from the Browse Translated Service dialog box and use this object as the mapped destination port.

A service object can contain both a source and destination port. You should specify either the source or the destination port for both service objects. You should only specify both the source and destination ports if your application uses a fixed source port (such as some DNS servers); but fixed source ports are rare. In the rare case where you specify both the source and destination ports in the object, the original packet service object contains the real source port/mapped destination port; the translated packet service object contains the mapped source port/real destination port. NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports. The "not equal" (!=) operator is not supported.

Step 8 (Optional) Configure NAT options in the Options area.

Figure 28-28 NAT Options

a. Check the Enable rule check box to enable this NAT rule. The rule is enabled by default.

b. To make the rule unidirectional, choose Unidirectional from the Direction drop-down list. The default is Both. Making the rule unidirectional prevents traffic from initiating connections to the real addresses. You might want to use this setting for testing purposes.

c. In the Description field, add a description about the rule up to 200 characters in length.


Note Although the "Translate DNS replies that match this rule" check box is available (if you do not configure a destination address), this option is not applicable to identity NAT because you are translating the address to itself, so the DNS reply does not need modification. See the "DNS and NAT" section for more information.


Step 9 Click OK.


Configuration Examples for Twice NAT

This section includes the following configuration examples:

Different Translation Depending on the Destination (Dynamic PAT)

Different Translation Depending on the Destination Address and Port (Dynamic PAT)

Different Translation Depending on the Destination (Dynamic PAT)

Figure 28-29 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129:port. When the host accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130:port.

Figure 28-29 Twice NAT with Different Destination Addresses


Step 1 Add a NAT rule for traffic from the inside network to DMZ network 1:

Figure 28-30 Adding a NAT Rule

By default, the NAT rule is added to the end of section 1. If you want to add a NAT rule to section 3, after the network object NAT rules, choose Add NAT Rule After Network Object NAT Rules.

The Add NAT Rule dialog box appears.

Figure 28-31 Add NAT Rule Dialog Box

Step 2 Set the source and destination interfaces:

Figure 28-32 Setting the Interfaces

Step 3 For the Original Source Address, click the browse button to add a new network object for the inside network in the Browse Original Source Address dialog box.

a. Add the new network object.

Figure 28-33 Adding a New Network Object for the Inside Network

b. Define the inside network addresses, and click OK.

Figure 28-34 Defining the Inside Network Addresses

c. Choose the new network object by double-clicking it. Click OK to return to the NAT configuration.

Figure 28-35 Choosing the New Network Object

Step 4 For the Original Destination Address, click the browse button to add a new network object for DMZ network 1 in the Browse Original Destination Address dialog box.

a. Add the new network object.

Figure 28-36 Adding a New Network Object for the DMZ Network 1

b. Define the DMZ network 1 addresses, and click OK.

Figure 28-37 Defining the DMZ Network 1 Addresses

c. Choose the new network object by double-clicking it. Click OK to return to the NAT configuration.

Figure 28-38 Choosing the New Network Object

Step 5 Set the NAT Type to Dynamic PAT (Hide):

Figure 28-39 Setting the NAT Type

Step 6 For the Translated Source Address, click the browse button to add a new network object for the PAT address in the Browse Translated Source Address dialog box.

a. Add the new network object.

Figure 28-40 Adding a New Network Object for the PAT Address

b. Define the PAT address, and click OK.

Figure 28-41 Defining the PAT Address

c. Choose the new network object by double-clicking it. Click OK to return to the NAT configuration.

Figure 28-42 Choosing the New Network Object

Step 7 For the Translated Destination Address, type the name of the Original Destination Address (DMZnetwork1) or click the browse button to choose it.

Because you do not want to translate the destination address, you need to configure identity NAT for it by specifying the same address for the Original and Translated destination addresses.

Figure 28-43 Add NAT Rule Dialog Box: Completed

Step 8 Click OK to add the rule to the NAT table.

Step 9 Add a NAT rule for traffic from the inside network to DMZ network 2:

Figure 28-44 Adding a NAT Rule

By default, the NAT rule is added to the end of section 1. If you want to add a NAT rule to section 3, after the network object NAT rules, choose Add NAT Rule After Network Object NAT Rules.

The Add NAT Rule dialog box appears.

Figure 28-45 Add NAT Rule Dialog Box

Step 10 Set the source and destination interfaces:

Figure 28-46 Setting the Interfaces

Step 11 For the Original Source Address, type the name of the inside network object (myInsideNetwork) or click the browse button to choose it.

Step 12 For the Original Destination Address, click the browse button to add a new network object for DMZ network 2 in the Browse Original Destination Address dialog box.

a. Add the new network object.

Figure 28-47 Adding a New Network Object for the DMZ Network 2

b. Define the DMZ network 2 addresses, and click OK.

Figure 28-48 Defining the DMZ Network 2 Addresses

c. Choose the new network object by double-clicking it. Click OK to return to the NAT configuration.

Figure 28-49 Choosing the New Network Object

Step 13 Set the NAT Type to Dynamic PAT (Hide):

Figure 28-50 Setting the NAT Type

Step 14 For the Translated Source Address, click the browse button to add a new network object for the PAT address in the Browse Translated Source Address dialog box.

a. Add the new network object.

Figure 28-51 Adding a New Network Object for the PAT Address

b. Define the PAT address, and click OK.

Figure 28-52 Defining the PAT Address

c. Choose the new network object by double-clicking it. Click OK to return to the NAT configuration.

Figure 28-53 Choosing the New Network Object

Step 15 For the Translated Destination Address, type the name of the Original Destination Address (DMZnetwork2) or click the browse button to choose it.

Because you do not want to translate the destination address, you need to configure identity NAT for it by specifying the same address for the Original and Translated destination addresses.

Figure 28-54 Add NAT Rule Dialog Box: Completed

Step 16 Click OK to add the rule to the NAT table.

Step 17 Click Apply.


Different Translation Depending on the Destination Address and Port (Dynamic PAT)

Figure 28-55 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for Telnet services, the real address is translated to 209.165.202.129:port. When the host accesses the same server for web services, the real address is translated to 209.165.202.130:port.

Figure 28-55 Twice NAT with Different Destination Ports


Step 1 Add a NAT rule for traffic from the inside network to the Telnet server:

Figure 28-56 Adding a NAT Rule

By default, the NAT rule is added to the end of section 1. If you want to add a NAT rule to section 3, after the network object NAT rules, choose Add NAT Rule After Network Object NAT Rules.

The Add NAT Rule dialog box appears.

Figure 28-57 Add NAT Rule Dialog Box

Step 2 Set the source and destination interfaces:

Figure 28-58 Setting the Interfaces

Step 3 For the Original Source Address, click the browse button to add a new network object for the inside network in the Browse Original Source Address dialog box.

a. Add the new network object.

Figure 28-59 Adding a New Network Object for the Inside Network

b. Define the inside network addresses, and click OK.

Figure 28-60 Defining the Inside Network Addresses

c. Choose the new network object by double-clicking it. Click OK to return to the NAT configuration.

Figure 28-61 Choosing the New Network Object

Step 4 For the Original Destination Address, click the browse button to add a new network object for the Telnet/Web server in the Browse Original Destination Address dialog box.

a. Add the new network object.

Figure 28-62 Adding a New Network Object for the Telnet/Web Server

b. Define the server address, and click OK.

Figure 28-63 Defining the Server Address

c. Choose the new network object by double-clicking it. Click OK to return to the NAT configuration.

Figure 28-64 Choosing the New Network Object

Step 5 For the Original Service, click the browse button to add a new service object for Telnet in the Browse Original Service dialog box.

a. Add the new service object.

Figure 28-65 Adding a New Service Object for Telnet

b. Define the protocol and port, and click OK.

Figure 28-66 Defining the Protocol and Port

c. Choose the new service object by double-clicking it. Click OK to return to the NAT configuration.

Figure 28-67 Choosing the New Service Object

Step 6 Set the NAT Type to Dynamic PAT (Hide):

Figure 28-68 Setting the NAT Type

Step 7 For the Translated Source Address, click the browse button to add a new network object for the PAT address in the Browse Translated Source Address dialog box.

a. Add the new network object.

Figure 28-69 Adding a New Network Object for the PAT Address

b. Define the PAT address, and click OK.

Figure 28-70 Defining the PAT Address

c. Choose the new network object by double-clicking it. Click OK to return to the NAT configuration.

Figure 28-71 Choosing the New Network Object

Step 8 For the Translated Destination Address, type the name of the Original Destination Address (TelnetWebServer) or click the browse button to choose it.

Because you do not want to translate the destination address, you need to configure identity NAT for it by specifying the same address for the Original and Translated destination addresses.

Figure 28-72 Add NAT Rule Dialog Box: Completed

Step 9 Click OK to add the rule to the NAT table.

Step 10 Add a NAT rule for traffic from the inside network to the web server:

Figure 28-73 Adding a NAT Rule

By default, the NAT rule is added to the end of section 1. If you want to add a NAT rule to section 3, after the network object NAT rules, choose Add NAT Rule After Network Object NAT Rules.

The Add NAT Rule dialog box appears.

Figure 28-74 Add NAT Rule Dialog Box

Step 11 Set the real and mapped interfaces:

Figure 28-75 Setting the Interfaces

Step 12 For the Original Source Address, type the name of the inside network object (myInsideNetwork) or click the browse button to choose it.

Step 13 For the Original Destination Address, type the name of the Telnet/web server network object (TelnetWebServer) or click the browse button to choose it.

Step 14 For the Original Service, click the browse button to add a new service object for HTTP in the Browse Original Service dialog box.

a. Add the new service object.

Figure 28-76 Adding a New Service Object for HTTP

b. Define the protocol and port, and click OK.

Figure 28-77 Defining the Protocol and Port

c. Choose the new service object by double-clicking it. Click OK to return to the NAT configuration.

Figure 28-78 Choosing the New Service Object

Step 15 Set the NAT Type to Dynamic PAT (Hide):

Figure 28-79 Setting the NAT Type

Step 16 For the Translated Source Address, click the browse button to add a new network object for the PAT address in the Browse Translated Source Address dialog box.

a. Add the new network object.

Figure 28-80 Adding a New Network Object for the PAT Address

b. Define the PAT address, and click OK.

Figure 28-81 Defining the PAT Address

c. Choose the new network object by double-clicking it. Click OK to return to the NAT configuration.

Figure 28-82 Choosing the New Network Object

Step 17 For the Translated Destination Address, type the name of the Original Destination Address (TelnetWebServer) or click the browse button to choose it.

Because you do not want to translate the destination address, you need to configure identity NAT for it by specifying the same address for the Original and Translated destination addresses.

Figure 28-83 Add NAT Rule Dialog Box: Completed

Step 18 Click OK to add the rule to the NAT table.

Step 19 Click Apply.


Feature History for Twice NAT

Table 28-1 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.

Table 28-1 Feature History for Twice NAT 

Feature Name
Platform Releases
Feature Information

Twice NAT

8.3(1)

Twice NAT lets you identify both the source and destination address in a single rule.

The following screen was modified: Configuration > Firewall > NAT Rules.