Static NAT (Double NAT)

Unanswered Question
Oct 13th, 2009

Hi All,

I have to creat static nat for specific requirement.

Public IP to private ip in the LAN. Setup as follows:

Internet (Public IP) -> Router -> ASA firewall -> Server

* I use private ip range between router internal interface and ASA firewall Out side interface. could you please help on this.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ohassairi Tue, 10/13/2009 - 02:28

if i understand your requirement you will let only the router do the NAT ?

it is recommanded that the ASA does the NAT.

you can divide your public range using subnetting: you need 2 IPs for the subnet on the external interface of your router and the remaining for the internal one. so the ASA wil have one public IP and can do the NAT.

pradeepadias Tue, 10/13/2009 - 04:22


Than you for the reply. but scenaio is bit different.Let me try to explain it further.

my setup is like this:

Public IP --> router --> Firewall --> server ion the LAN

What is required is:

1. router internal interface and Firewall external (outside) interface has private IP range

2. I am nating public ip which is in the same range as my router external interface IP.

3. at the router public IP will be nated to ip address within the range of router internal interface and ASA outside interface.

4. At the ASA this IP will be again nated to LAN IP (server) again.

Hope this is much clear. I'm ok with STATIC NAT, but got stuck with this.

Again thank you for your time :)



Jon Marshall Tue, 10/13/2009 - 06:04


public IP =

private IP between router and ASA =

server IP =

fa0/1 -> router fa0/0 -> outside ASA inside -> server

router config


int fa0/1

ip nat outside

int fa0/0

ip nat inside

ip nat inside source static

ASA config


static (inside,outside) netmask



This Discussion