Perverted NAT

This is probably the most perverted form of NAT I have ever done. <flamebait> But, it serves as a proof that with proper NAT there is no need for routing </flamebait>



There is a Cisco ASA running code 8.3+ that divides my home network from my lab networks. My home devices uses as default gateway and has no other routes configured. Behind the Lab-firewall there is a host with dual NIC:s. The host is connected to my Lab-wirewall via a point2point-network and has a default gateway pointing elsewhere.


I want the lab-computer to reach my vSphere-server and I do also want any computers on my home network to remote control the lab-computer with vnc. I do not want to add extra routes anywhere.




object network vCenter
object network pod1inside
object service RDP
service tcp destination eq 3389
object service RDP_13389
service tcp destination eq 13389
object service VNC
service tcp destination eq 5900
object service VNC_5901
service tcp destination eq 5901
object service vSphere
service tcp destination eq 444
nat (pod1_151,inside168) source static pod1inside interface destination static interface vCenter service vSphere vSphere
nat (inside168,pod1_151) source dynamic any interface destination static interface pod1inside service VNC_5901 VNC

The above configuration makes it possible to:


  • run the vSphere-client on the lab-computer and connect to The source-address of the packet will be translated to the interface-address of inside168 ( and the destination address will be translated to


  • run VNC viewer on any computer on the and connect to The source address of the packet will be translated to the interface address of pod1_151 (, the destination address will be translated to and the destination port will be translated from 5901 to 5900.

Tagged with: ,
Posted in Cisco Security

Leave a Reply

Your email address will not be published. Required fields are marked *



[mc4wp_form id="2457"]
Website Security Test