Twice NAT Breakdown
Twice NAT can be a bit intimidating when your first look at
it since the statements are much longer and have more variables. The best way I
have found to approach it is to just break it down and look at it in chunks. It’s
also important to note that Twice NAT requires the use of network and service objects.
You can’t use straight up numbers for source or destination addresses and port
numbers. Lastly all Twice NAT statements are added at the global config level.
Command
ASA(config)# nat (original-interface,translated-interface) [line-number|{after-auto
[line-number]}] source static|dynamic original-object
interface|translated-object
[destination static original-destination
translated-destination] [service
original-service-object translated-service-object] [dns]
[unidirectional] [inactive] [description text]
Interfaces
(original-interface,translated-interface)
(original
interface,translated interface) - The “original interface” is the interface
where object you are applying the NAT too exists and the “translated interface”
is the interface where you are making your resource available. The ‘any’
keyword can be used when specifying the original or translated interfaces.
Placement
[line-number|{after-auto
[line-number]}]
line-number – Optional. If you wish to insert the NAT rule
at a specific location you can do so by using the line-number command. If
omitted the rule will be appended to the end of section 1.
after-object [line-number] – Optional. If you want to mark
the NAT rule to be processed in section three, after object NAT, use the
after-object flag. Additionally if you specify a line number you may insert the
after-object NAT at specific location in section 3.
Source address
translation
source static|dynamic
original-object interface|translated-object
source – Specifies the following commands are parameters for
modifying the source address of a packet during translation.
static|dynamic – This simply notes if your performing a static
or dynamic NAT.
original-object – This object identifies what source address
or network we want to translate
interface|translated-object – Here is where we specify what
we want our source address or network to be after translation. We can use
either the interface address of the translated interface or an object.
Destination address
translation
[destination static original-destination
translated-destination]
destination – Specifies the following commands are
parameters for modifying the destination address of a packet during
translation.
static – Only option here. Tells the ASA we are doing a
static translation on the destination address.
original-destination – This is where we identify the
original destination address of a packet. Unless a packet has the destination
address specified here the rule won’t apply.
translated-destination – Here we can change the destination
address of a packet to something else.
Port translations
[service original-service-object
translated-service-object]
service – Specifies the following commands are parameters
for modifying the source and or destination port numbers of a packet during
translation.
original-service-object – This is the service object that
identifies the original source and or destination ports of a packet. Unless a
packet has the source and or destination ports noted in this service object the
rule won’t apply.
translated-service-object – This is where we can change the
source and or destination ports of a packet.
Optional flags
[dns] [unidirectional] [inactive]
[description {text}]
dns – This flags the rule for DNS re-writes. Can only be
used on static 1 to 1 NAT.
unidirectional – NAT by nature is a two way process, but by
using this flag a translation can be forced only work in a single direction.
inactive – This flag will prevent a rule from being used
even though it is present.
description {text} – This flag lets us add a short
description to a rule.
Like Object NAT it’s not a perfect system and it certainly
has its fair share of annoyances, like not being able to use straight out
numbers for addresses or ports. The biggest gotcha I found with Twice NAT is
that service objects can have both source and destination ports defined. Its
entirely possible to make rules that will never match any traffic and doing a
simple ‘show run nat’ won’t display the contents of the objects so it can be
very easy to overlook when troubleshooting a NAT issue. Overall though I think
it’s a great system. It could use a few improvements for sure but that’s true
of anything.