Hi all

thank you for your posts,

i need to perform bi-driectional nat (souce and destination) , will twice nat be usefull to me

or simple source and destination nat will be enough?

Hello Ofir,

Twice nat is the one you are looking for, that one will help you trying to set this nat rule up.

Please do rate helpful posts.

Regards,

Julio

Hi Julio,

can you please post sample configuration for twice nat in TP mode?

TIA

Hello Ofir,

The configuration of the nat is the same one as on router mode

Lets say inside host 10.2.1.2 is going to be natted on the outside to 2.2.2.2 when it goes to 3.3.3.3

Here is the configuration to accomplish this

Object network inside-host

host 10.2.1.2

object network nat-ip

host 2.2.2.2

object network destination-outside

host 3.3.3.3

nat (inside,outside) source static inside-host nat-ip destination static destination-outside destination-outside

Hope this helps,

Julio!!

Hi Julio,

and what about the other direction, can it be natted also?

Hello Ofir,

Yes, it can be done as well, the NAT feature will work the same way except for the limitations you have explained:

•In transparent mode, you must specify the real and mapped interfaces; you cannot use any.

•In  transparent mode, you cannot configure interface PAT, because the  transparent mode interfaces do not have IP addresses. You also cannot  use the management IP address as a mapped address.

Regards,

Do please rate helpful post

Julio

Hi Julio,

do i need to configure addional nat rule or the asa will maitain the nat state on both directions?

what if i would like to hide both sides of the asa using different segments, how will the configuration look like?

TIA

Hello Ofir,

Lets say inside host 10.2.1.2 is going to be natted on the outside to 2.2.2.2 when it goes to 3.3.3.3 witch in fact is 10.3.1.2, so you will hide both sides.

Here is the configuration to accomplish this

Object network inside-host

host 10.2.1.2

object network nat-ip

host 2.2.2.2

object network destination-outside

host 3.3.3.3

object network destination-host

host 10.3.1.2

nat (inside,outside) source static inside-host nat-ip destination static destination-outside destination-host

So when the inside user goes to 3.3.3.3 he will be natted to 2.2.2.2 and the destination as well be natted to 10.3.1.2.

Is this what you are asking for?

Hi Julio,

is there a limitation when these the 10.2 and 10.3 networks are not directly connected to the asa?

is proxy nat needed for this kind of configuration?

Hello Ofir,

Not at all you can still do it, the ASA will proxy arp the global ip address for the inside user, in this example will proxy arp the 2.2.2.2..

Regards,

Julio

Hi Julio,

i think i missed something..

using one nat rule , when 10.3 network will initiate traffic to 2.2.2.2 it will match this nat rule?

Hello Ofir,

Nope, when 10.3.1.2 the nat rule will take place as well.

Static is bi-derectional.

Regards,

Julio