ASA Advanced NAT: static inside/inside nat

ASA Advanced NAT
Received a question where a customer had a requirement to NAT inside addresses to inside addresses. The NAT is to different networks that reside on the trusted inside network. Specifically: 192.168.10.1 needs to be NAT’d to 10.132.0.1….again, both of these networks live off the inside interface. Can this be done?
Yes it can, this is called hair-pining NAT and it is supported with ASA/PIX 7.2(1) and above if the pre and post addresses are non-VPN traffic. (Earlier version of code requires one addressed to be encrypted since it would only support hairpinning on VPN traffic).
What you need to do is first enable “same-security-traffic permit intra-interface” to allow traffic between hosts from those 2 inside subnets to talk each other via ASA inside interface (assuming routing is properly set up). You can then set up the regularly static NAT or nat/global as usual. Only difference in this case is that pre and post addresses are both inside instead of from 2 different interfaces.In your customer’s case, it will be
Static (inside,inside) 192.168.10.1 10.132.0.1 netmask 255.255.255.255
Any packets destined to 192.168.10.1 hitting the inside interface of the ASA will be translated to 10.132.0.1 and redirected out on the inside interface thanks to the “same-security-traffic permit intra-interface” command.