Cisco FirePOWER ASA 5500 series Configuration Manual page 311

Chapter 17 Applying NAT
Figure 17-18
Global 1: 10.1.2.30-
See the following commands for this example:
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 outside
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)# static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.4
hostname(config)# global (inside) 1 10.1.2.30-1-10.1.2.40
When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group
of addresses when they access any lower or same security level interface; you must apply a global
command with the same NAT ID on each interface, or use a static command. NAT is not required for
that group when it accesses a higher security interface, because to perform NAT from outside to inside,
you must create a separate nat command using the outside keyword. If you do apply outside NAT, then
the NAT requirements preceding come into effect for that group of addresses when they access all higher
security interfaces. Traffic identified by a static command is not affected.
OL-10088-01
Outside NAT and Inside NAT Combined
Outside
10.1.1.15
Global 1: 209.165.201.3-
209.165.201.10
Outside NAT 1: 10.1.1.0/24
NAT 1: 10.1.1.0/24
10.1.2.40
Static to DMZ: 10.1.2.27
Inside
10.1.2.27
Translation
209.165.201.4
DMZ
10.1.1.15
10.1.1.5
Translation
10.1.1.15 10.1.2.30
Undo Translation
10.1.1.5 10.1.2.27
Cisco Security Appliance Command Line Configuration Guide
Using Dynamic NAT and PAT
17-21