06-05-2007 01:55 PM - edited 03-09-2019 06:07 PM
I currently have an internal IP address that is NATTED to an external IP. However, we are now setting up a L2L but that same internal IP now needs to be NATTED to the L2L VPN. I get the following error:
INFO: overlap with existing static
inside:WEBMAIL to outside:208.116.x.x netmask 255.255.255.255
06-05-2007 02:01 PM
You may be able to use policy-nat here. From the current scenario, I think you have following static command in the network:
static (inside,outside) 208.116.x.x WEBMAIL
Now, lets assume that remote end network of L2L tunnel is 192.168.1.0/24, and you need to map the WEBMAIL server as 192.168.2.10 to the remote end L2L network, following commands might help-
access-list pol1 permit ip host WEBMAIL 192.168.1.0 255.255.255.0
static (inside,outside) 192.168.2.10 access-list pol1
I hope this helps.
Regards,
Vibhor.
06-05-2007 02:06 PM
That is what I actually tried...
06-05-2007 02:10 PM
What code are you running ? Policy-nat was introduced in 6.3(2) code.
Regards,
Vibhor.
06-05-2007 02:17 PM
I already have policy nat running for other site to site vpn. I am running version 7.2(2)
06-05-2007 02:19 PM
Cool .. could you paste the command you entered and received the error, along with commnads existing on PIX?
06-05-2007 02:22 PM
static (inside,outside) 208.116.x.x WEBMAIL netmask 255.255.255.255
Now for the site to site VPN with ZANTAZ, we need to NAT WEBMAIL to 172.30.59.91. In order to do this, I tried to use policy-nat (see below)
access-list ZANTAZ_VPN4 extended permit ip host WEBMAIL object-group ZANTAZ
static (inside,outside) 172.30.59.94 access-list ZANTAZ_VPN4
ERROR that I am getting:
INFO: overlap with existing static
inside:WEBMAIL to outside:208.116.x.x netmask 255.255.255.255
06-05-2007 02:23 PM
sorry typo
static (inside,outside) 172.30.59.91 access-list ZANTAZ_VPN4
06-05-2007 03:20 PM
Ok .. well, thats not actually an "error" you are getting. Its a "INFO", which is just to inform you that you already have a static translation for the host WEBMAIL. If you check your current static rules, you'll see both static commands in there and they would work as they are expected to-
show run static
Its just a informational message and you may ignore it.
Hope that helps.
Regards,
Vibhor.
06-05-2007 06:31 PM
you were right that it is only info. However it does not show when I do show run static but only shows up in the show tech. So, I went and tried but it did not work. I will give it another try...I will clear the nat table and try again...
06-07-2007 04:43 AM
Well I got it to work. The trick was to move the static going along with policy-nat head of of the other static.
static (inside,outside) 172.30.59.91 access-list ZANTAZ_VPN1
static (inside,outside) 208.116.x.x WEBMAIL netmask 255.255.255.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide