fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Cisco ASA - Twice NAT

Twice NAT allows you to NAT both the source and destination within a single rule.

Scenario

A scenario where this type of configuration would be required is shown below. To ensure that any traffic originating from the Internet isn't sent back out to its default gateway (asymmetrically routed) the source IP is translated to an IP within the range of the inside segment (192.168.100.0/24). In turn ensuring the return traffic is sent back via the the Cisco ASA.

 

Example

Within this example we will perform both Static PAT along with Dynamic PAT to ensure that traffic to our SMTP (192.168.100.200) server is not asymmetrically routed.

Here are some more details :

  • Static PAT - A static NAT is configured for the real server 192.168.100.200 to a translated address of 33.33.33.33 on port TCP/25 (SMTP).
  • Dynamic PAT - A dynamic PAT is configured which translates all traffic coming in from the outside interface to the source IP address of 192.168.100.100.

Syntax

Below shows the required syntax.

object network SERVER-33.33.33.33
   host 33.33.33.33
object network SERVER-192.168.100.200
   host 192.168.100.200
object service SMTP-SERVICE
   service tcp destination eq 25
object network PAT-ADDRESS-100
   host 192.168.100.100
 
nat (outside,inside) 1 source dynamic any PAT-ADDRESS-100 destination static SERVER-33.33.33.33 SERVER-192.168.100.200 service SMTP-SERVICE SMTP-SERVICE

Tags: ASA, TwiceNAT

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001