Static and Dynamic NAT is based on the principle of a packet’s source address being translated from a real inside address to a mapped outside address.
For example, if you take a basic set-up where you have a server on the inside of a firewall with a real private address of 10.1.1.201 then you can use NAT to translate the source address of the packet, as it travels outbound, to a mapped outside public address. It is important to note, however, that the destination address is not changed.
For example, a server on the inside of the firewall might use google for DNS – in which case the destination address of 8.8.8.8/8.8.4.4 is not translated as the packet travels outbound.
“Twice NAT” enables you to change both the source and destination addresses. Let’s suppose all the hosts on your network are statically configured to use Google’s DNS, but to improve security you want to use Cisco’s Open DNS instead.
One method of doing this is to use a firewall to translate the destination address to a new one.
In this example, the destination would need to be translated as follows:
(Google DNS1) 8.8.8.8 > 208.67.222.123 (Cisco OpenDNS1) (Google DNS2) 8.8.4.4 > 208.67.220.123 (Cisco OpenDNS2)
Configuring Twice NAT
Consider the following diagram:
In this scenario, the host, 10.1.1.201 queries Google’s DNS, but the firewall translates this to Cisco’s Open DNS.
To configure this first, create the objects for the inside host
asa1(config)# object network host1-real asa1(config-network-object)# host 10.1.1.201 asa1(config)# object network host1-mapped asa1(config-network-object)# host 192.168.0.250
Next, create the objects for the destination hosts. Note that the real address is not the actual IP of the destination (i.e. 8.8.8.8/8.8.4.4) but instead the translated IP (i.e. 208.67.222.123/208.67.220.123). Think of it in terms of the following diagram:
asa1(config)# object network google1-real asa1(config-network-object)# host 208.67.222.123 asa1(config)# object network google1-mapped asa1(config-network-object)# host 8.8.8.8 asa1(config)# object network google2-real asa1(config-network-object)# host 208.67.220.123 asa1(config)# object network google2-mapped asa1(config-network-object)# host 8.8.4.4
Next, apply the twice NAT configuration i.e.
asa1(config)# nat (inside,outside) source static host1-real host1-mapped destination static google1-mapped google1-real asa1(config)# nat (inside,outside) source static host1-real host1-mapped destination static google2-mapped google2-real
Verification
To verify NAT is correctly configured, use the following command: Note the flags “sT” signifying Static and Twice. Also, note the IP on the left is the real IP and the IP on the right is the mapped IP.
asa1# show xlate
<snip>
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:10.1.1.201 to outside:192.168.0.250
flags sT idle 0:00:19 timeout 0:00:00
NAT from outside:208.67.222.123 to inside:8.8.8.8
flags sT idle 0:00:19 timeout 0:00:00
NAT from inside:10.1.1.201 to outside:192.168.0.250
flags sT idle 3:44:51 timeout 0:00:00
NAT from outside:208.67.220.123 to inside:8.8.4.4
flags sT idle 3:44:51 timeout 0:00:00
asa1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static host1-real host1-mapped destination static google1-mapped google1-real
translate_hits = 1226, untranslate_hits = 39790
2 (inside) to (outside) source static host1-real host1-mapped destination static google2-mapped google2-real
translate_hits = 2, untranslate_hits = 86
The Traceroute Blog 
One thought on “Configuring Twice NAT”