Cisco ASA - Twice NAT

Twice NAT allows you to NAT both the source and destination within a single rule.


A scenario where this type of configuration would be required is shown below. To ensure that any traffic originating from the Internet isn't sent back out to its default gateway (asymmetrically routed) the source IP is translated to an IP within the range of the inside segment ( In turn ensuring the return traffic is sent back via the the Cisco ASA.



Within this example we will perform both Static PAT along with Dynamic PAT to ensure that traffic to our SMTP ( server is not asymmetrically routed.

Here are some more details :

  • Static PAT - A static NAT is configured for the real server to a translated address of on port TCP/25 (SMTP).
  • Dynamic PAT - A dynamic PAT is configured which translates all traffic coming in from the outside interface to the source IP address of


Below shows the required syntax.

object network SERVER-
object network SERVER-
object service SMTP-SERVICE
   service tcp destination eq 25
object network PAT-ADDRESS-100
nat (outside,inside) 1 source dynamic any PAT-ADDRESS-100 destination static SERVER- SERVER- service SMTP-SERVICE SMTP-SERVICE

Tags: ASA, TwiceNAT

About the Author


R Donato

Rick Donato is the Founder and Chief Editor of He currently works as an SDN/NFV Solutions Architect and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001