Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Twice NAT due to asymmetric routing

I have a business requirement that has traffic for an application going through firewall A and web traffic through firewall B. Due to specilized routing need for this application, if a user outside the network tries to access our public facing web servers we end up with the traffic entering firewall B and leaving firewall A, so asymmetric routing.


What I would like to do is bring in all traffic coming from (outside) destined for (NATed to inside) and NAT it to those external address to


I think that this is a twice NAT but haven't been able to follow the Cisco examples as they are taking a internal host and NATing them outbound, I'm looking to do the reverse.

Super Bronze

Hi, You did not mention the



You did not mention the software version of your ASA. Twice NAT is easier and more common on the 8.3+ software levels.


So if I understood correctly the internal server should be NATed to from the real IP address and the external source subnet should be NATed to when connecting to the menioned NAT IP address of


If so then the configuration in 8.3+ format could be


object network SERVER-REAL


object network SERVER-MAPPED


object network EXT-SUBNET-REAL


object network EXT-SUBNET-MAPPED


nat (inside,outside) source static SERVER-REAL SERVER-MAPPED destination static EXT-SUBNET-MAPPED EXT-SUBNET-REAL


Naturally the above "object" names are more meant to give you an idea of what purpose they hold. A better naming policy could surely be used. :)


The above NAT configuration would do a 1:1 Static NAT for the source addresses as the real and mapped subnet are of equal size. You could change this to Dynamic PAT if the actual situation holds different size subnets.


Hope this helps :)


- Jouni

New Member

We are currently running 8.4

We are currently running 8.4.2, this head cold is preventing me from remembering vital details today.

Super Bronze

Hi, In that case your ASA



In that case your ASA should support the above configuration format.


Naturally I don't know what the interfaces are called on your ASA. Also I personally like to look at the big picture especially when doing any special NAT configurations. Just so that I don't mess anything up :)


- Jouni

CreatePlease to create content