Hello Dominique
What’s happening here is something called “twice NAT” and is used to identify both the source and destination address in a single rule. As stated in this Cisco documentation:
Specifying both the source and destination addresses lets you specify that a source address should be translated to A when going to destination X, but be translated to B when going to destination Y, for example.
And actually, when you use the same object for both real and mapped addresses, you are doing a very special type of twice NAT called Identity NAT. This is where the real and mapped objects are the same. Identity NAT simply says “translate to the same address” or simply “don’t translate”.
You can find out more about Identity NAT at the following Cisco link:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/firewall/asa-95-firewall-config/nat-reference.html#ID-2091-0000038c
You can also find out more at this post:
This has to do with the way in which NAT is applied. When the NAT statement is within the object, this kind of configuration is called network object NAT. It’s a quick and easy way to configure NAT for a single IP address or a range of addresses, or a subnet. The NAT command within the object is applied to the similarly configured subnet within the object. You can find out more about it here:
Looking at the lesson I do see a typo where the NAT statement was outside the object, so I’ll let Rene know to fix that…
This command will specify a tunnel-group, but you must create and configure the tunnel-group for it to function. This can be done using several command modes including:
tunnel-group general-attributes
tunnel-group ipsec-attributes
tunnel-group webvpn-attributes
tunnel-group ppp-attributes
One or more of the above should be used to enter the configuration mode of the particular attributes for this tunnel group. More about this can be found at this Cisco ASA command reference:
You can find out more details on how to configure these and what all of their parameters are at the following Cisco documentation:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-groups.html
Note that the entities called “tunnel-groups” are now called VPN connection profiles, however, the syntax seems to be the same.
I hope this has been helpful!
Laz