topic Difference between double nat and twice nat in Network Security

Difference between double nat and twice nat

sshantikumar — Mon, 11 Mar 2019 21:48:41 GMT

Hello,

I have been seeing this concept of Twice NAT on cisco devices and Double NAT on Checkpoint devices. Somehow I am not able to understand how they work. Are they the same? Could anyone please explain whaht these concepts actually achieve?

I am mainly looking for an example where the destination also changes.

Thanks

Shyam

Difference between double nat and twice nat

mirober2 — Thu, 10 Nov 2011 14:54:37 GMT

Hi Shyam,

You are right that twice NAT simply means that both the source and the destination IP addresses in the packet are translated. In the new NAT syntax of ASA 8.3 and 8.4, you can do this in a single command:

object network obj-10.1.1.1
  host 10.1.1.1
object network obj-192.168.1.1
  host 192.168.1.1
object network obj-172.16.1.1
  host 172.16.1.1
!
nat (inside,outside) source static obj-10.1.1.1 interface destination static obj-192.168.1.1 obj-172.16.1.1

With this example, if a packet sourced from 10.1.1.1 and destined to 192.168.1.1 arrives at the inside interface, the ASA will translate the source address to the outside interface IP. It will also translate the destination address to 172.16.1.1.

You can find more configuration examples here:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_rules.html

Hope that helps.

-Mike

Difference between double nat and twice nat

sshantikumar — Fri, 11 Nov 2011 04:55:00 GMT

Hello Mike,

Thanks for the reply. I have a question here.

Traffic will get initiated from 10.1.1.1 and the ultimate destination will be 172.16.1.1 (translated destination address). The source address (10.1.1.1) will get hide natted to the interface address. The translated destination address (172.16.1.1) will get translated to the external destination (192.168.1.1). so the traffic is like this

1. SA: 10.1.1.1 DA: 172.16.1.1

After the traffic leaves the outside interface

2. SA: Firewall Interface address DA: 192.168.1.1

Return traffic from 192.168.1.1 will get natted back to 172.16.1.1 once it reaches the firewall

Please confirm whether I am correct here.

Thanks

Shyam

Difference between double nat and twice nat

mirober2 — Fri, 11 Nov 2011 13:37:39 GMT

Hi Shyam,

You're correct on the source address but the destination address should be reversed:

1. SA: 10.1.1.1, DA: 192.168.1.1

After leaving the firewall:

2. SA: Outside interface IP, DA: 172.16.1.1

-Mike

Difference between double nat and twice nat

Dinesh Moudgil — Fri, 26 Apr 2013 17:24:39 GMT

Hello mirober2,

I guess Shyam was right in his statement.As per this cisco dcument:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_rules.html

The format of the command is "static(inside,outside) source static real_ip mapped_ip destination static mapped_ip real_ip".

So , SA=10.1.1.1 DA=172.16.1.1

After leaving the firewall

SA=Outside Interface DA=192.168.1.1

-Dinesh

Difference between double nat and twice nat

harvisin — Tue, 30 Apr 2013 20:33:04 GMT

Hello Shyam,

I went through your query and have found link's which would help you in solving your query.

As rightly said the Twice NAT is performed on the cisco devices and for the same please refer to the following link as it would help you understand its fundamentals:-

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/nat_rules.html

Secondly Double NAT is performed on the Checkpoint Devices the following link will be helpful for the same:-

http://www.practicallynetworked.com/networking/fixing_double_nat.htm