Cisco ASA 5505 Configuration Manual page 578

Configuration Examples for Twice NAT
(Optional) Identify the translated packet source or destination port (the mapped source port or the real
Step 7
destination port). For the Match Criteria: Translated Packet > Service, click the browse button
choose an existing TCP or UDP service object from the Browse Translated Service dialog box.
You can also create a new service object from the Browse Translated Service dialog box and use this
object as the mapped destination port.
A service object can contain both a source and destination port. You should specify either the source or
the destination port for both service objects. You should only specify both the source and destination
ports if your application uses a fixed source port (such as some DNS servers); but fixed source ports are
rare. In the rare case where you specify both the source and destination ports in the object, the original
packet service object contains the real source port/mapped destination port; the translated packet service
object contains the mapped source port/real destination port. NAT only supports TCP or UDP. When
translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP
or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports.
The "not equal" (!=) operator is not supported.
Step 8 (Optional) Configure NAT options in the Options area.
Figure 28-28
a.
b.
c.
Note
Click OK.
Step 9
Configuration Examples for Twice NAT
This section includes the following configuration examples:
Cisco ASA 5500 Series Configuration Guide using ASDM
28-18
For static interface NAT with port translation only, choose an interface. If you specify an interface,
be sure to also configure a a service translation. For more information, see the
with Port Translation" section on page
NAT Options
Check the Enable rule check box to enable this NAT rule. The rule is enabled by default.
To make the rule unidirectional, choose Unidirectional from the Direction drop-down list. The
default is Both. Making the rule unidirectional prevents traffic from initiating connections to the real
addresses. You might want to use this setting for testing purposes.
In the Description field, add a description about the rule up to 200 characters in length.
Although the "Translate DNS replies that match this rule" check box is available (if you do not
configure a destination address), this option is not applicable to identity NAT because you are
translating the address to itself, so the DNS reply does not need modification. See the
NAT" section on page 26-21
26-5.
for more information.
Chapter 28 Configuring Twice NAT
"Static Interface NAT
and
"DNS and
OL-20339-01