Cisco ASA 5505 Configuration Manual page 577

Chapter 28 Configuring Twice NAT
You can also create a new named object or group from the Browse Original Destination Address
dialog box and use this object or group as the real destination address.
Although the main feature of twice NAT is the inclusion of the destination IP address, the destination
address is optional. If you do specify the destination address, you can configure static translation for
that address or just use identity NAT for it. You might want to configure twice NAT without a
destination address to take advantage of some of the other qualities of twice NAT, including the use
of network object groups for real addresses, or manually ordering of rules. For more information,
see the
(Optional) Identify the original packet source or destination port (the real source port or the mapped
Step 4
destination port). For the Match Criteria: Original Packet > Service, click the browse button
choose an existing TCP or UDP service object from the Browse Original Service dialog box.
You can also create a new service object from the Browse Original Service dialog box and use this object
as the real destination port.
A service object can contain both a source and destination port. You should specify either the source or
the destination port for both service objects. You should only specify both the source and destination
ports if your application uses a fixed source port (such as some DNS servers); but fixed source ports are
rare. In the rare case where you specify both the source and destination ports in the object, the original
packet service object contains the real source port/mapped destination port; the translated packet service
object contains the mapped source port/real destination port. NAT only supports TCP or UDP. When
translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP
or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports.
The "not equal" (!=) operator is not supported.
Choose Static from the Match Criteria: Translated Packet > Source NAT Type drop-down list. Static is
Step 5
the default setting.
This setting only applies to the source address; the destination translation is always static.
Figure 28-27
Identify the translated packet addresses (the mapped source address and the real destination address).
Step 6
For the Match Criteria: Translated Packet > Source Address, click the browse button
a.
the same network object or group from the Browse Translated Source Address dialog box that you
chose for the real source address. Use any if you specified any for the real address.
For the Match Criteria: Translated Packet > Destination Address, click the browse button
b.
choose an existing network object, group, or interface from the Browse Translated Destination
Address dialog box.
You can also create a new named object or group from the Browse Translated Destination Address
dialog box and use this object or group as the mapped destination address.
For identity NAT for the destination address, simply use the same object or group for both the real
and mapped addresses.
If you want to translate the destination address, then the static mapping is typically one-to-one, so
the real addresses have the same quantity as the mapped addresses. You can, however, have different
quantities if desired. For more information, see the
"Guidelines and Limitations" section on page 28-2
addresses.
OL-20339-01
"Main Differences Between Network Object NAT and Twice NAT" section on page
Setting the NAT Type
"Static NAT" section on page
for information about disallowed mapped IP
Cisco ASA 5500 Series Configuration Guide using ASDM
Configuring Twice NAT
26-15.
and
and choose
and
26-3. See the
28-17