View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0007 - ASA 8.3 8.4 Twice NAT

Rating: 
0
No votes yet
Difficulty Level: 
2
Lab Document: 
<Please login to see the content>

The video looks at how to configure Twice NAT on a Cisco ASA 8.3. We go through NAT configuration syntax for different type of NAT scenarios and examine some characteristics specific to Twice NAT.

Twice NAT is one of the two ways of configuring NAT on an ASA starting from version 8.3. The configuration is built around a command 'nat () source objects destination objects' with 'object' being inside the 'nat'. Object and object-group are the main building blocks of Twice NAT, and these are where the 'real' and 'map' IP are defined.
 
Topic includes
  • ASA Static NAT
  • ASA Static PAT
  • ASA Dynamic NAT
  • ASA Dynamic PAT/PAT Pool
  • ASA Destination NAT
  • ASA Identity NAT
Notes:
  • Twice NAT occupies Section 1 and 3 of the NAT table
  • Twice NAT supports both source and destination matching and translation concurrently
  • Twice NAT only allows a single source or source/destination match
  • Twice NAT statement requires manual reordering

VIRL Config File. Courtesy of Katherine McNamara @network-node.com

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

8 comments

can you show us how to configured in GNS3 with your configuration?

Thanks, KT

All of our labs are created on actual hardware so we cannot assist with config on GNS3.

NP...love your video...learning a lots

Thank you for your feedback and we are glad you find our videos useful.

I have q's for u. I followed your step on Static NAT of ranges and the asa did not it in NAT table when I do "sho nat".

ciscoasa(config)# object network MAP_STATIC
ciscoasa(config-network-object)# range 1.1.1.64 1.1.1.67
ciscoasa(config-network-object)# object network MAP_1.1.1.64-67
ciscoasa(config-network-object)# range 192.168.1.2 192.168.1.5
ciscoasa(config-network-object)# nat (inside,outside) static MAP_STATIC ?
ciscoasa(config-network-object)# nat (inside,outside) static MAP_STATIC dns ?
ciscoasa(config-network-object)# sh nat

I got it...I need to enter source before static or dynamic

Genuinely curious.... why did you use dynamic for the dst nat example. For last video you used static in the object nat on the dst nat example. With dynamic, with each subsequent translation a different ip or port is used. In your example, would static dst nat work with the full twice nat syntax? Thanks.

These are merely examples to demonstrate different capabilities of Twice NAT. There is no particular reason why things are done certain way. Whether you use static or dynamic NAT depends on what you are trying to achieve. Usually you can accomplish the same thing with either Identity or Object NAT and it would come down to personal peference. 

Poll

Vote for the Next Video Series