ASA 5520 NAT Statement Help

Unanswered Question
Jul 24th, 2007
User Badges:

Hello. First time to the forum.


We are trying to get a NAT translation into our ASA/PIX 5520 for a L2L VPN connection.


Everytime I try to enter in the static (inside, outside) command, I get this error:


ERROR: access-list used in static has different local addresses


All of our current NAT translations go to our Internet IP's. This one however is for an internal translation to go down the VPN tunnel.


Can someone tell me what this error is?


Thanks in advance. - Mark

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Tue, 07/24/2007 - 11:31
User Badges:
  • Blue, 1500 points or more

we need to see the full command you're trying to enter with the static command, and the access-list that goes with it. any other nat/static statements involving these addresses would be helpful too.

markpatla Tue, 07/24/2007 - 11:44
User Badges:

OK. Here is what I was trying:


static (inside,outside) 10.251.84.68 access-list Fxxx


access-list Fxxx extended permit ip host 172.25.20.12 128.x.x.x 255.255.255.0

access-list Fxxx extended permit ip host 10.64.12.71 128.x.x.x 255.255.255.0

access-list Fxxx extended permit ip host 10.64.12.72 128.x.x.x 255.255.255.0



Neither the 128.x.x.x nor the 10.251. addresses are referenced in my no-nat acl.


Thanks.

srue Tue, 07/24/2007 - 11:59
User Badges:
  • Blue, 1500 points or more

you can't use the static command..you have too many source addresses...

try the following:

nat (inside) 1 access-list Fxxx

global (outside) 1 10.251.84.68


this might not have the desired affect though, if connections are initiated from the other side of the tunnel.

You really need more than just the one 10.251.84.68 address for NAT'ing these addresses across the tunnel.

Actions

This Discussion