Cisco Systems ASA 5585-X Manual De Usuario

5-25

Cisco ASA Series Firewall CLI Configuration Guide

Chapter 5 Configuring Twice NAT

Configuration Examples for Twice NAT

This section includes the following configuration examples:

•

Different Translation Depending on the Destination (Dynamic PAT), page 5-25

•

Different Translation Depending on the Destination Address and Port (Dynamic PAT), page 5-27

Different Translation Depending on the Destination (Dynamic PAT)

Figure 5-1

shows a host on the 10.1.2.0/24 network accessing two different servers. When the host

accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129:port. When the
host accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130:port.

Figure 5-1

Twice NAT with Different Destination Addresses

Step 1

Add a network object for the inside network:

ciscoasa(config)# object network myInsideNetwork

ciscoasa(config-network-object)# subnet 10.1.2.0 255.255.255.0

Step 2

Add a network object for the DMZ network 1:

ciscoasa(config)# object network DMZnetwork1

ciscoasa(config-network-object)# subnet 209.165.201.0 255.255.255.224

Step 3

Add a network object for the PAT address:

ciscoasa(config)# object network PATaddress1

ciscoasa(config-network-object)# host 209.165.202.129

Server 1

209.165.201.11

Server 2

209.165.200.225

DMZ

Inside

10.1.2.27

10.1.2.0/24

209.165.201.0/27

209.165.200.224/27

Translation

209.165.202.129

10.1.2.27

Translation

209.165.202.130

10.1.2.27

Packet

Dest. Address:

209.165.201.11

Packet

Dest. Address:

209.165.200.225