Hi

I have a ASA5520, that was the core firewall  for inside and outside, default gateway etc etc...

my internal addresses are 192.168.0.0/16 - broken into /24's

my public internet address 1.2.3.0/24

I have quiet a few network object nats

object network www

host 192.168.10.20

nat (dmzrp,any) static 1.2.3.9 service tcp 10001 https

so dmzrp is where I have my reverse proxies.

I also have this at the top of the list

nat (any,any) source static inside-net inside-net destination static inside-net inside-net no-proxy-arp

object network inside-net

subnet 192.168.0.0 255.255.0.0

Now I am in the process of moving to another router for my core routing so a lot of vlan's ip networks are moving off the asa5520

I have an interface called MAN it connect to a share network, where I run ospf I have my new router connected here.

so when I try to connect to the www address about 192.168.20.10 -> 1.2.3.9:443 the forward packet gets to 192.168.10.20, but the source address is  192.168.20.10, which routes back to the original server without going via the asa5520 to un NAT it, so it fails.

So I presume I need to twice NAT ?

I was going to do some thing like

object network in_nat_src

  host 1.2.3..13

object-group network public-network

network-object 1.2.3.0 255.255.255.0

nat (internet,man) source dynamic inside-net in_nat_src destination static public-network public-network no-proxy-arp

nat (any,any) source static inside-net inside-net destination static inside-net inside-net no-proxy-arp

I don't really have a asa to test on. But my presumption is that will set my src address and then the object network will then work, so from my reading thats nat is stage 1 and object network is stage 2