Overview
- Twice NAT translate both source IP and destination IP in both direction
- Twice NAT is bidirectional
- Twice NAT is mainly used for exempting VPN traffic from NAT
Topology
Testing Scenarios
- R2 (192.168.0.2) should be translated to 200.0.0.50. This translation should only happen when R2 accesses R3 locally using the IP address 192.168.0.3
- R3 (200.0.0.2) should be able to access R2 on its public IP address 200.0.0.50.
- R2’s Loopback 0 and R3’s Loopback 0 needs to be exempt from NAT when they access each other.
Configrurations
Scenarios 1&2
To solve testing scenarios 1 and 2 we only need 1 NAT
- Define object network
object network private-192.168.0.2
host 192.168.0.2
object network public-192.168.0.2
host 200.0.0.50
object network private-192.168.0.3
host 192.168.0.3
object network public-192.168.0.3
host 200.0.0.22. Define NAT for twice NAT
nat (INSIDE,OUTSIDE) source static private-192.168.0.2 public-192.168.0.2 destination static private-192.168.0.3 public-192.168.0.3Scenario 3
- Define object network for loopback
object network loopback-R2
host 2.2.2.2
object network loopback-R3
host 3.3.3.32. create NAT exemption for R2 and R3
nat (INSIDE,OUTSIDE) source static loopback-R2 loopback-R2 destination static loopback-R3 loopback-R3Verifications
Scenarios 1&2
- we can testing our rule using packet-tracer command
packet-tracer input insiDE tcp 192.168.0.2 12345 192.168.0.3 80
2. telnet from R2 to R3 using private ip address 192.168.0.3
telnet 192.168.0.3
3. telnet from R3 to R2 using public ip address 200.0.0.50
telnet 200.0.0.50
Scenario 3
For testing scenario 3 NAT exemption we can use packet-tracer command
packet-tracer input inSIDE tcp 2.2.2.2 12345 3.3.3.3 80
Conclusions
- With Twice nat we can configure our network to access private ip address host instead of public ip address.
- Twice NAT can be configure to exempt NAT which is mostly used in VPN network.
If you found this useful, subscribe to newsletter