Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Redoing firewall NAT


I have a ASA5520, that was the core firewall  for inside and outside, default gateway etc etc...

my internal addresses are - broken into /24's

my public internet address

I have quiet a few network object nats

object network www


nat (dmzrp,any) static service tcp 10001 https

so dmzrp is where I have my reverse proxies.

I also have this at the top of the list

nat (any,any) source static inside-net inside-net destination static inside-net inside-net no-proxy-arp

object network inside-net


Now I am in the process of moving to another router for my core routing so a lot of vlan's ip networks are moving off the asa5520

I have an interface called MAN it connect to a share network, where I run ospf I have my new router connected here.

so when I try to connect to the www address about -> the forward packet gets to, but the source address is, which routes back to the original server without going via the asa5520 to un NAT it, so it fails.

So I presume I need to twice NAT ?

I was going to do some thing like

object network in_nat_src

  host 1.2.3..13

object-group network public-network


nat (internet,man) source dynamic inside-net in_nat_src destination static public-network public-network no-proxy-arp

nat (any,any) source static inside-net inside-net destination static inside-net inside-net no-proxy-arp

I don't really have a asa to test on. But my presumption is that will set my src address and then the object network will then work, so from my reading thats nat is stage 1 and object network is stage 2

Everyone's tags (3)
New Member

Redoing firewall NAT


found this

Order of NAT Rules.

Network object NAT—Automatically ordered in the NAT table.

Twice NAT—Manually ordered in the NAT table (before or after network object NAT rules).

I have a network onbject nat rule

object network


nat (dmzrp,any) static service tcp 10001 https

what i want is any one that comes from interface man that goes to, need to be src natted, then i want the above rule to kick in

not sure how I am going to to this

CreatePlease login to create content