You want to issue the following block of commands on a Cisco ASA:
ASA(config)#nat (DMZ, INSIDE) source dynamic any interface destination static INSIDESQLEXT
INSIDESQLINT
You do not have CLI access to the ASA and must use ASDM instead.
Which of the following samples of the Add NAT Rule dialog box corresponds to the configuration needed to
achieve your goal? (Select the best answer.)
A.
Option A 
B.
Option B
C.
Option C
D.
Option D 
Explanation:
The following sample of the Add NAT Rule dialog box corresponds to the Cisco Adaptive Security Appliance
(ASA) configuration needed to achieve your goal using Cisco Adaptive Security Device Manager (ASDM):
In the exhibit shown above, the Match Criteria: Original Packet section of the Add NAT Rule dialog box contains
fields that correspond to the interface and IP address information in a matching packet prior to translation. The
Source Interface field specifies the real source interface, the Source Address field specifies the real source IP
address, the Destination Interface field specifies the real destination interface, the Destination Address field
specifies the real destination IP address, and the Service: field specifies the real protocol port numbers for the
original packet. By contrast, the Action: Translated Packet section of the Add NAT Rule dialog box contains
fields that correspond to the mapped interface and IP address information in a matching packet after
translation. The Source NAT Type field specifies the type of Network Address Translation (NAT), the Source
Address field specifies the mapped source IP address, the Destination Address: field specifies the mapped
destination IP address, and the Service: field specifies the mapped protocol numbers for the translated packet.
The sample Add NAT Rule dialog box configures the ASA to map the real source IP address traffic from any
network attached to the DMZ network to the IP address assigned to the INSIDE interface. In addition, the
mapped destination IP address defined in the INSIDESQLEXT object is mapped to the real destination IP
address defined in the INSIDESQLINT object. The following diagram depicts the translation of the addresses
within matching packets where INSIDESQLEXT has an IP address of 192.168.15.2 and INSIDESQLINT has an
IP address of 192.168.13.2:
You could use the nat (DMZ, INSIDE) source dynamic any interface destination static INSIDESQLEXT
INSIDESQLINT command from global configuration mode to configure the same dynamic NAT rule as shown
in the sample. Add NAT Rule dialog box. When the nat command is issued from global configuration mode, it is
referred to as the nat (global) command and it can be used to configure twice NAT on the ASA. Twice NAT
enables you to specify a mapping for both the source address and destination address in a packet. The nat
(global) command in this scenario can be used to create a dynamic NAT rule which translates traffic between
the DMZ and INSIDE interfaces of the ASA. The abbreviated syntax to create a dynamic NAT rule with the nat
(global) command is nat (real_interface,mapped_interface) source dynamic {real_object | any} {mapped_object
| interface} destination static {mapped_object | interface} {real_object| any}.The following sample of the Add NAT Rule dialog box corresponds to the nat (DMZ, INSIDE) source dynamic
any interface destination static INSIDESQLINT INSIDESQLEXT command:
The following sample of the Add NAT Rule dialog box corresponds to the nat (INSIDE, DMZ) source dynamic
any interface destination static INSIDESQLEXT INSIDESQLINT command:
The following sample of the Add NAT Rule dialog box corresponds to the nat (INSIDE, DMZ) source dynamic
any interface destination static INSIDESQLINT INSIDESQLEXT command:
Cisco: Configuring Twice NAT: Configuring Dynamic PAT (Hide)
Cisco: Cisco ASA Series Command Reference: nat (global)
