ASA 5520 NAT Statement Help

markpatla · ‎07-24-2007

Hello. First time to the forum.

We are trying to get a NAT translation into our ASA/PIX 5520 for a L2L VPN connection.

Everytime I try to enter in the static (inside, outside) command, I get this error:

ERROR: access-list used in static has different local addresses

All of our current NAT translations go to our Internet IP's. This one however is for an internal translation to go down the VPN tunnel.

Can someone tell me what this error is?

Thanks in advance. - Mark

srue · ‎07-24-2007

we need to see the full command you're trying to enter with the static command, and the access-list that goes with it. any other nat/static statements involving these addresses would be helpful too.

markpatla · ‎07-24-2007

OK. Here is what I was trying:

static (inside,outside) 10.251.84.68 access-list Fxxx

access-list Fxxx extended permit ip host 172.25.20.12 128.x.x.x 255.255.255.0

access-list Fxxx extended permit ip host 10.64.12.71 128.x.x.x 255.255.255.0

access-list Fxxx extended permit ip host 10.64.12.72 128.x.x.x 255.255.255.0

Neither the 128.x.x.x nor the 10.251. addresses are referenced in my no-nat acl.

Thanks.

srue · ‎07-24-2007

you can't use the static command..you have too many source addresses...

try the following:

nat (inside) 1 access-list Fxxx

global (outside) 1 10.251.84.68

this might not have the desired affect though, if connections are initiated from the other side of the tunnel.

You really need more than just the one 10.251.84.68 address for NAT'ing these addresses across the tunnel.