[c-nsp] Twice NAT sanity check

[Randy]

asa 5555x ver 9.1

Is there any reason why one or both twice-nat rules below would NOT work:

object-group network Web-Real
network-object host 10.5.0.1
network-object host 10.5.2.10
network-object host 10.5.3.25

object-group network Web-Mapped
network-object host 74.209.247.50
network-object host 208.70.89.30
network-object host 208.72.89.31

object-group network vpn-local
network-object 172.29.0.0 255.255.0.0

nat(web-dmz, outside) 1 source static Web-Real Web-Real destination static vpn-local vpn-local no-proxy-arp route-lookup


(section 1 of nat table ordered manually to nat-exempt)

nat(web-dmz, outside) 2 source static Web-Real Web-Mapped destination static any any no-proxy-arp route-lookup

(section 1 of nat table static NAT for all other destinations reachable via outside-int)

10.5.0.1 <-> 74.209.247.50
10.5.2.10 <-> 208.70.89.30
10.5.3.25 <-> 208.72.89.31

My google foo has failed me here and I haven't found anything by Cisco explicitly prohibiting the above.

My assumption that the above should work is based on:

Prerequisites for Twice NAT 
•For both the real and mapped addresses, configure network objects or network object groups (the object network or object-group network command). Network object groups are particularly useful for creating a 
mapped address pool with discontinuous IP address ranges or multiple 
hosts or subnets. To create a network object or group, see the "Configuring Network Objects and Groups" section in the general operations configuration guide. 

Thanks,
./Randy