We help IT Professionals succeed at work.

ASA NAT problem, Can I perform src and dst NAT at the same time on inbound traffic?

Last Modified: 2012-05-08

I have a client that is running an ASA5505 ver 8.0(4). They have traffic coming from the outside int going to an inside int and they require both the src and dst addresses to be natted. as below. --> ----  they want to hide the src behind outgoing int (not an issue, using static for this)
plus NAT the dst --> - This I am having issues with.
Is it possible to perform Src and Dst nat at the same time on the ASA? I have been told to look into policy NAT but can't find a lot of info on it.
Cheers Chris
Watch Question

Only one translation will be used, the order is:
1. NAT exempt
2. Static
3. NAT+Global

The policy NAT is used with the static statement, and allows you to make a granular list of what should be translated based on destination/source address/prototol/service.

To understand your situation better:
Are you looking for a solution where packets coming from destination (outside) being translated to (inside)?

If so, yes you can do that with policy NAT, but only for specific ports and protocols.
#static (inside,outside) tcp 80 80

That'd create a translation from packets coming from on tcp port 80 to, outgoing port 80 on you inside interface.


Hi Perry

The traffic will be coming from the address which is classed as the outside interface. It is trying to connect to a virtual address which is the 204. address which needs to be natted to the real 192. address. At the same time though the source needs to be hidden behind the internal interface address so when it leaves the firewall the source will be the internal firewall interface and the dest will be the real server address

I was researching this myself last night and came up with the following. Please see all addresses as hosts.

access-list acl_outside_in extended permit tcp host host object-group PORTS_IN log
access-list acl_inside_in extended permit tcp host host object-group PORTS_OUT log
access-list acl_NAT_outside permit ip host host
static (inside,outside) netmask
nat (outside) 10 access-list acl_NAT_outside
global (inside) 10 interface

Does that look like a viable solution to what I am trying to do? We have a change window tonight but if it's not going to work I would rather let the client know before hand.
This one is on us!
(Get your first solution completely free - no credit card required)



Thanks for that, seems crazy to me that the src and dst can't be natted at the same time. The client discarded a checkpoint solution when the firewalls were installed due to the fact 'they wouldn't be using a lot of NAT' Think they may regret that decision shortly :-)

Thanks for the responses!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.