Cisco ASA 5505 Configuration Manual page 570

Configuring Twice NAT
Note
For the Match Criteria: Translated Packet > Destination Address, click the browse button
b.
choose an existing network object or group from the Browse Translated Destination Address dialog
box.
You can also create a new named object or group from the Browse Translated Destination Address
dialog box and use this object or group as the mapped destination address.
For identity NAT for the destination address, simply use the same object or group for both the real
and mapped addresses.
If you want to translate the destination address, then the static mapping is typically one-to-one, so
the real addresses have the same quantity as the mapped addresses. You can, however, have different
quantities if desired. For more information, see the
"Guidelines and Limitations" section on page 28-2
addresses.
For static interface NAT with port translation only, choose an interface. If you specify an interface,
be sure to also configure a a service translation. For this option, you must configure a specific
interface for the Source Interface. See the
page 26-5
(Optional) Identify the translated packet port (the real destination port). For the Match Criteria:
Step 7
Translated Packet > Service, click the browse button
object from the Browse Translated Service dialog box.
You can also create a new service object from the Browse Translated Service dialog box and use this
object as the mapped destination port.
Dynamic PAT does not support additional port translation. However, because the destination translation
is always static, you can perform port translation for the destination port. A service object can contain
both a source and destination port, but only the destination port is used in this case. If you specify the
source port, it will be ignored. NAT only supports TCP or UDP. When translating a port, be sure the
protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT,
you can use the same service object for both the real and mapped ports. The "not equal" (!=) operator is
not supported.
(Optional) Configure NAT options in the Options area.
Step 8
Figure 28-15
Check the Enable rule check box to enable this NAT rule. The rule is enabled by default.
a.
(For a source-only rule) To rewrite the DNS A record in DNS replies, check the Translate DNS
b.
replies that match this rule check box.
Cisco ASA 5500 Series Configuration Guide using ASDM
28-10
You can share this mapped object across different dynamic PAT rules, if desired.
for more information.
NAT Options
Chapter 28
"Static NAT" section on page
for information about disallowed mapped IP
"Static Interface NAT with Port Translation" section on
and choose an existing TCP or UDP service
Configuring Twice NAT
and
26-3. See the
OL-20339-01