LAN Communication Between Hosts That Look For Their Public IP Addresses Behind An ASA

Introduction

This document describes different network implementations from where it is required to allow Local Area Network (LAN) communication between hosts that look for their public IP addresses behind an Adaptive Security Appliance (ASA).

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Cisco basic ASA NAT configuration, version 8.3 and above.  

• Cisco basic ASA NAT configuration, version 8.2 and older.

Components Used

The information in this document is based on these software and hardware versions:

• ASA5500 and ASA5500-X series.
• Cisco ASA version 8.3 and above.
• Cisco ASA version 8.2 and older.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Problem: LAN Communication Between Hosts That Look For Their Public IP Addresses Behind an ASA

In the next section, you can see three topology examples that show this communication requirement to allow LAN communication between hosts that look for their public IP addresses behind an ASA.

Example 1. The source host PC-A is connected to the inside ASA interface, while the destination host Test Server is connected to the DMZ interface.

Example 2. The source and destination hosts PC-A and Test Server are connected to the same inside ASA interface.

Example 3. The source and destination hosts PC-A and Test Server are connected to the inside ASA interface, but behind another layer 3 device (It could be a Router or a Multilayer switch).

Note: The Test Server in the three images has a static Network Address Translation (NAT) configured in the ASA, this static NAT translation is applied from the outside to the correspondent internal interface in order to allow the Test Server to be reachable from the outside with the public IP address 64.100.0.5, then this is translated to the Test Server internal private IP address. 

Solution

In order to allow the source host PC-A to reach the destination Test Server with its public IP address instead of the private one, we need to apply a twice NAT configuration. The twice NAT configuration helps us to translate both, the source and destination IP addresses of the packets when the traffic passes through the ASA.

Here the details of the twice nat configuration required for each topology:

Example 1. The source host PC-A is connected to the inside ASA interface, while the destination host Test Server is connected to the DMZ interface.

Configuration

Twice NAT for ASA Versions 8.3 and Later:

object network obj-10.1.1.5
 host 10.1.1.5

object network obj-172.16.1.5
 host 172.16.1.5

object network obj-64.100.0.5
 host 64.100.0.5

nat (inside,dmz) source static obj-10.1.1.5 interface destination static obj-64.100.0.5 obj-172.16.1.5

NOTE: After this NAT is applied in the ASA you will receive a warning message as the following:

WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users may not be able to access any service enabled on the outside interface.

Twice NAT for ASA Versions 8.2 and Older:

access-list IN-DMZ-INTERFACE extended permit ip host 10.1.1.5 host 64.100.0.5
static (inside,dmz) interface access-list IN-DMZ-INTERFACE

access-list DMZ-IN-INTERFACE extended permit ip host 172.16.1.5 host 172.16.1.1
static (dmz,inside) 64.100.0.5 access-list DMZ-IN-INTERFACE

Troubleshoot

Packet Tracer Output Versions 8.3 and Later:

ASA# packet-tracer input inside tcp 10.1.1.5 123 64.100.0.5 80

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,dmz) source static obj-10.1.1.5 interface destination static obj-64.100.0.5 obj-172.16.1.5
Additional Information:
NAT divert to egress interface dmz
Untranslate 64.100.0.5/80 to 172.16.1.5/80

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,dmz) source static obj-10.1.1.5 interface destination static obj-64.100.0.5 obj-172.16.1.5
Additional Information:
Static translate 10.1.1.5/123 to 172.16.1.1/123

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,dmz) source static obj-10.1.1.5 interface destination static obj-64.100.0.5 obj-172.16.1.5
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 167632, packet dispatched to next module

Result: 
input-interface: inside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

Packet Tracer Output Versions 8.2 and Older:

ASA#packet-tracer input inside tcp 10.1.1.5 123 64.100.0.5 80 

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (dmz,inside) 64.100.0.5 access-list DMZ-IN-INTERFACE 
 match ip dmz host 172.16.1.5 inside host 172.16.1.1
 static translation to 64.100.0.5
 translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface dmz
Untranslate 64.100.0.5/0 to 172.16.1.5/0 using netmask 255.255.255.255

Phase: 2
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config: 
static (inside,dmz) interface access-list IN-DMZ-INTERFACE 
 match ip inside host 10.1.1.5 dmz host 64.100.0.5
 static translation to 172.16.1.1
 translate_hits = 1, untranslate_hits = 0
Additional Information:
Static translate 10.1.1.5/0 to 172.16.1.1/0 using netmask 255.255.255.255

Phase: 4
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz) interface access-list IN-DMZ-INTERFACE 
 match ip inside host 10.1.1.5 dmz host 64.100.0.5
 static translation to 172.16.1.1
 translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (dmz,inside) 64.100.0.5 access-list DMZ-IN-INTERFACE 
 match ip dmz host 172.16.1.5 inside host 172.16.1.1
 static translation to 64.100.0.5
 translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (dmz,inside) 64.100.0.5 access-list DMZ-IN-INTERFACE 
 match ip dmz host 172.16.1.5 inside host 172.16.1.1
 static translation to 64.100.0.5
 translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8 
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 503, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

Packet Captures:

ASA# sh cap
capture capin type raw-data interface inside [Capturing - 1300 bytes] 
 match ip host 10.1.1.5 host 64.100.0.5 
capture capout type raw-data interface dmz [Capturing - 1300 bytes] 
 match ip host 172.16.1.1 host 172.16.1.5 

ASA# sh cap capin

10 packets captured
 1: 12:36:28.245455 10.1.1.5 > 64.100.0.5: icmp: echo request 
 2: 12:36:28.269441 64.100.0.5 > 10.1.1.5: icmp: echo reply 
 3: 12:36:28.303451 10.1.1.5 > 64.100.0.5: icmp: echo request 
 4: 12:36:28.333692 64.100.0.5 > 10.1.1.5: icmp: echo reply 
 5: 12:36:28.372478 10.1.1.5 > 64.100.0.5: icmp: echo request 
 6: 12:36:28.395563 64.100.0.5 > 10.1.1.5: icmp: echo reply 
 7: 12:36:28.422402 10.1.1.5 > 64.100.0.5: icmp: echo request 
 8: 12:36:28.449241 64.100.0.5 > 10.1.1.5: icmp: echo reply 
 9: 12:36:28.481420 10.1.1.5 > 64.100.0.5: icmp: echo request 
 10: 12:36:28.507435 64.100.0.5 > 10.1.1.5: icmp: echo reply 
10 packets shown

ASA1# sh cap capout

10 packets captured
 1: 12:36:28.245730 172.16.1.1 > 172.16.1.5: icmp: echo request 
 2: 12:36:28.269395 172.16.1.5 > 172.16.1.1: icmp: echo reply 
 3: 12:36:28.303725 172.16.1.1 > 172.16.1.5: icmp: echo request 
 4: 12:36:28.333646 172.16.1.5 > 172.16.1.1: icmp: echo reply 
 5: 12:36:28.372737 172.16.1.1 > 172.16.1.5: icmp: echo request 
 6: 12:36:28.395533 172.16.1.5 > 172.16.1.1: icmp: echo reply 
 7: 12:36:28.422661 172.16.1.1 > 172.16.1.5: icmp: echo request 
 8: 12:36:28.449195 172.16.1.5 > 172.16.1.1: icmp: echo reply 
 9: 12:36:28.481695 172.16.1.1 > 172.16.1.5: icmp: echo request 
 10: 12:36:28.507404 172.16.1.5 > 172.16.1.1: icmp: echo reply 
10 packets shown

Example 2. The source and destination hosts PC-A and Test Server are connected to the same inside ASA interface.

Configuration 

Twice NAT for ASA Versions 8.3 and Later:

object network obj-10.1.1.5
 host 10.1.1.5

object network obj-10.1.1.6
 host 10.1.1.6

object network obj-64.100.0.5
 host 64.100.0.5

nat (inside,inside) source static obj-10.1.1.5 interface destination static obj-64.100.0.5 obj-10.1.1.6

NOTE: After this NAT is applied in the ASA you will receive a warning message as the following:

WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users may not be able to access any service enabled on the outside interface.

Twice NAT for ASA Versions 8.2 and Older:

access-list IN-OUT-INTERFACE extended permit ip host 10.1.1.5 host 64.100.0.5
static (inside,inside) interface access-list IN-OUT-INTERFACE

access-list OUT-IN-INTERFACE extended permit ip host 10.1.1.6 host 10.1.1.1
static (inside,inside) 64.100.0.5 access-list OUT-IN-INTERFACE

Note: The main intention of the NAT translation for the source IP address from 10.1.1.5 to the ASA inside interface IP address 10.1.1.1, is to force the replies that come from host 10.1.1.6 to return to the ASA, this is highly required in order to avoid asymmetric routing and to allow the ASA to process all of the traffic between the interested hosts, if we don't translate the source IP address like we did in this example, then the ASA will block the interested traffic due to asymmetric routing.

Troubleshoot

Packet Tracer Output  Versions 8.3 and Later:

ASA# packet-tracer input inside tcp 10.1.1.5 123 64.100.0.5 80

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,inside) source static obj-10.1.1.5 interface destination static obj-64.100.0.5 obj-10.1.1.6
Additional Information:
NAT divert to egress interface inside
Untranslate 64.100.0.5/80 to 10.1.1.6/80

Phase: 2
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,inside) source static obj-10.1.1.5 interface destination static obj-64.100.0.5 obj-10.1.1.6
Additional Information:
Static translate 10.1.1.5/123 to 10.1.1.1/123

Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule 
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,inside) source static obj-10.1.1.5 interface destination static obj-64.100.0.5 obj-10.1.1.6
Additional Information:
 
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 167839, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Packet Tracer Output  Versions 8.2 and Older:

ASA# packet-tracer input inside tcp 10.1.1.5 123 64.100.0.5 80

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,inside) 64.100.0.5 access-list OUT-IN-INTERFACE 
 match ip inside host 10.1.1.6 inside host 10.1.1.1
 static translation to 64.100.0.5
 translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside
Untranslate 64.100.0.5/0 to 10.1.1.6/0 using netmask 255.255.255.255

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype: 
Result: ALLOW 
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype: 
Result: ALLOW
Config:
static (inside,inside) interface access-list IN-OUT-INTERFACE 
 match ip inside host 10.1.1.5 inside host 64.100.0.5
 static translation to 10.1.1.1
 translate_hits = 1, untranslate_hits = 0
Additional Information:
Static translate 10.1.1.5/0 to 10.1.1.1/0 using netmask 255.255.255.255

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,inside) interface access-list IN-OUT-INTERFACE 
 match ip inside host 10.1.1.5 inside host 64.100.0.5
 static translation to 10.1.1.1
 translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,inside) 64.100.0.5 access-list OUT-IN-INTERFACE 
 match ip inside host 10.1.1.6 inside host 10.1.1.1
 static translation to 64.100.0.5
 translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,inside) 64.100.0.5 access-list OUT-IN-INTERFACE 
 match ip inside host 10.1.1.6 inside host 10.1.1.1
 static translation to 64.100.0.5
 translate_hits = 0, untranslate_hits = 1
Additional Information:
 
Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 727, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Packet Captures:

ASA# sh cap
capture capin type raw-data interface inside [Capturing - 1300 bytes] 
 match ip host 10.1.1.5 host 64.100.0.5 
capture capout type raw-data interface inside [Capturing - 1300 bytes] 
 match ip host 10.1.1.1 host 10.1.1.6

ASA# sh cap capin

10 packets captured
 1: 12:50:39.304748 10.1.1.5 > 64.100.0.5: icmp: echo request 
 2: 12:50:39.335431 64.100.0.5 > 10.1.1.5: icmp: echo reply 
 3: 12:50:39.368389 10.1.1.5 > 64.100.0.5: icmp: echo request 
 4: 12:50:39.389368 64.100.0.5 > 10.1.1.5: icmp: echo reply 
 5: 12:50:39.398432 10.1.1.5 > 64.100.0.5: icmp: echo request 
 6: 12:50:39.418176 64.100.0.5 > 10.1.1.5: icmp: echo reply 
 7: 12:50:39.419732 10.1.1.5 > 64.100.0.5: icmp: echo request 
 8: 12:50:39.425103 64.100.0.5 > 10.1.1.5: icmp: echo reply 
 9: 12:50:39.434395 10.1.1.5 > 64.100.0.5: icmp: echo request 
 10: 12:50:39.438423 64.100.0.5 > 10.1.1.5: icmp: echo reply 
10 packets shown

ASA2# sh cap capout

10 packets captured
 1: 12:50:39.305282 10.1.1.1 > 10.1.1.6: icmp: echo request 
 2: 12:50:39.335386 10.1.1.6 > 10.1.1.1: icmp: echo reply 
 3: 12:50:39.368663 10.1.1.1 > 10.1.1.6: icmp: echo request 
 4: 12:50:39.389307 10.1.1.6 > 10.1.1.1: icmp: echo reply 
 5: 12:50:39.398706 10.1.1.1 > 10.1.1.6: icmp: echo request 
 6: 12:50:39.418130 10.1.1.6 > 10.1.1.1: icmp: echo reply 
 7: 12:50:39.419762 10.1.1.1 > 10.1.1.6: icmp: echo request 
 8: 12:50:39.425072 10.1.1.6 > 10.1.1.1: icmp: echo reply 
 9: 12:50:39.434669 10.1.1.1 > 10.1.1.6: icmp: echo request 
 10: 12:50:39.438392 10.1.1.6 > 10.1.1.1: icmp: echo reply 
10 packets shown

Example 3. The source and destination hosts PC-A and Test Server are connected to the inside ASA interface, but behind another layer 3 device (It could be a Router or a Multilayer switch).

Configuration 

Twice NAT for ASA Versions 8.3 and Later:

object network obj-10.2.2.5
 host 10.2.2.5

object network obj-10.3.3.6
 host 10.3.3.6

object network obj-64.100.0.5
 host 64.100.0.5

nat (inside,inside) source static obj-10.2.2.5 interface destination static obj-64.100.0.5 obj-10.3.3.6

NOTE: After this NAT is applied in the ASA you will receive a warning message as the following:

WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users may not be able to access any service enabled on the outside interface.

Twice NAT for ASA Versions 8.2 and Older:

access-list IN-OUT-INTERFACE extended permit ip host 10.2.2.5 host 64.100.0.5
static (inside,inside) interface access-list IN-OUT-INTERFACE

access-list OUT-IN-INTERFACE extended permit ip host 10.3.3.6 host 10.1.1.1
static (inside,inside) 64.100.0.5 access-list OUT-IN-INTERFACE

Note: The main intention of the NAT translation for the source IP address from 10.1.1.5 to the ASA inside interface IP address (10.1.1.1) is to force the replies that come from host 10.1.1.6 to return to the ASA, this is highly required in order to avoid asymmetric routing and to allow the ASA to process all of the traffic between the interested hosts, if we don't translate the source IP address like we did in this example, then the ASA will block the interested traffic due to asymmetric routing.

Troubleshoot

Packet Tracer Output Versions 8.3 and Later:

ASA# packet-tracer input inside tcp 10.2.2.5 123 64.100.0.5 80

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,inside) source static obj-10.2.2.5 interface destination static obj-64.100.0.5 obj-10.3.3.6
Additional Information:
NAT divert to egress interface inside
Untranslate 64.100.0.5/80 to 10.3.3.6/80

Phase: 2
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,inside) source static obj-10.2.2.5 interface destination static obj-64.100.0.5 obj-10.3.3.6
Additional Information:
Static translate 10.2.2.5/123 to 10.1.1.1/123

Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule 
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,inside) source static obj-10.2.2.5 interface destination static obj-64.100.0.5 obj-10.3.3.6
Additional Information:
 
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 167945, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Packet Tracer Output Versions 8.2 and Older:

ASA# packet-tracer input inside tcp 10.2.2.5 123 64.100.0.5 80

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,inside) 64.100.0.5 access-list OUT-IN-INTERFACE 
 match ip inside host 10.3.3.6 inside host 10.1.1.1
 static translation to 64.100.0.5
 translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside
Untranslate 64.100.0.5/0 to 10.3.3.6/0 using netmask 255.255.255.255

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype: 
Result: ALLOW 
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype: 
Result: ALLOW
Config:
static (inside,inside) interface access-list IN-OUT-INTERFACE 
 match ip inside host 10.2.2.5 inside host 64.100.0.5
 static translation to 10.1.1.1
 translate_hits = 1, untranslate_hits = 0
Additional Information:
Static translate 10.2.2.5/0 to 10.1.1.1/0 using netmask 255.255.255.255

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,inside) interface access-list IN-OUT-INTERFACE 
 match ip inside host 10.2.2.5 inside host 64.100.0.5
 static translation to 10.1.1.1
 translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,inside) 64.100.0.5 access-list OUT-IN-INTERFACE 
 match ip inside host 10.3.3.6 inside host 10.1.1.1
 static translation to 64.100.0.5
 translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,inside) 64.100.0.5 access-list OUT-IN-INTERFACE 
 match ip inside host 10.3.3.6 inside host 10.1.1.1
 static translation to 64.100.0.5
 translate_hits = 0, untranslate_hits = 1
Additional Information:
 
Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 908, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Packet Captures:

ASA# sh cap
capture capin type raw-data interface inside [Capturing - 1300 bytes] 
 match ip host 10.2.2.5 host 64.100.0.5 
capture capout type raw-data interface inside [Capturing - 1300 bytes] 
 match ip host 10.1.1.1 host 10.3.3.6 

ASA# sh cap capin

10 packets captured
 1: 13:06:09.302047 10.2.2.5 > 64.100.0.5: icmp: echo request 
 2: 13:06:09.315276 64.100.0.5 > 10.2.2.5: icmp: echo reply 
 3: 13:06:09.342221 10.2.2.5 > 64.100.0.5: icmp: echo request 
 4: 13:06:09.381266 64.100.0.5 > 10.2.2.5: icmp: echo reply 
 5: 13:06:09.421227 10.2.2.5 > 64.100.0.5: icmp: echo request 
 6: 13:06:09.459204 64.100.0.5 > 10.2.2.5: icmp: echo reply 
 7: 13:06:09.494939 10.2.2.5 > 64.100.0.5: icmp: echo request 
 8: 13:06:09.534258 64.100.0.5 > 10.2.2.5: icmp: echo reply 
 9: 13:06:09.564210 10.2.2.5 > 64.100.0.5: icmp: echo request 
 10: 13:06:09.593261 64.100.0.5 > 10.2.2.5: icmp: echo reply 
10 packets shown

ASA# sh cap capout

10 packets captured
 1: 13:06:09.302367 10.1.1.1 > 10.3.3.6: icmp: echo request 
 2: 13:06:09.315230 10.3.3.6 > 10.1.1.1: icmp: echo reply 
 3: 13:06:09.342526 10.1.1.1 > 10.3.3.6: icmp: echo request 
 4: 13:06:09.381221 10.3.3.6 > 10.1.1.1: icmp: echo reply 
 5: 13:06:09.421517 10.1.1.1 > 10.3.3.6: icmp: echo request 
 6: 13:06:09.459174 10.3.3.6 > 10.1.1.1: icmp: echo reply 
 7: 13:06:09.495244 10.1.1.1 > 10.3.3.6: icmp: echo request 
 8: 13:06:09.534213 10.3.3.6 > 10.1.1.1: icmp: echo reply 
 9: 13:06:09.564500 10.1.1.1 > 10.3.3.6: icmp: echo request 
 10: 13:06:09.593215 10.3.3.6 > 10.1.1.1: icmp: echo reply 
10 packets shown

Related Information

• ASA 8.3 Configuration Guide: Prerequisite for Twice NAT

• ASA 8.4 Configuration Guide: DNS and NAT

• ASA Pre-8.3 to 8.3 NAT configuration examples