Static Policy NATing

Unanswered Question
Dec 27th, 2007


I have recently installed an ASA5510 as our Firewall which actually replaced the old PIX. Now I am stuck with Static NATing. On the old PIX I could have multiple Static statements translating different public IP addresses to one IP address in my DMZ network. But it looks like I can not do it any more with ASA. By the way I am running ASA Version 7.0(7). I have read few posts and articles online and it seems Static Policy NAT is the answer. but I can not get it configured as I am still geting "global address overlaps with mask" error. I have to translate multiple pubic IP addresses (for example,, to in my DMZ. Please see the following configuration I have tried.

#access-list 101 extended permit tcp any host eq www

#access-list 101 extended permit tcp any host eq www

#access-list 101 extended permit tcp any host eq https

#access-group 101 in interface Outside

#access-list sun01-1 extended permit tcp any host eq www

#access-list sun01-2 extended permit tcp any host eq https

#static (DMZ,Outside) access-list sun01-1

#static (DMZ,Outside) access-list sun01-1

#static (DMZ,Outside) access-list sun01-2

Could you please look at the config and help me out on this.

Your help is much appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Hi, here are the changes necessary to fix your problem. The problem is your static statements are defined for one to one NAT while your policy NAT ACL's match on port address translation. That's why you are getting the error message regarding "global address overlaps with mask." Your ACL's are also matching on the wrong traffic. Let me know if this makes any sense.


access-list sun01-1 permit tcp host eq www any

access-list sun01-2 permit tcp host eq www any

access-list sun01-3 permit tcp host eq https any

static (DMZ,Outside) tcp www access-list sun01-1

static (DMZ,Outside) tcp www access-list sun01-2

static (DMZ,Outside) tcp https

access-list sun01-3

neazchowdhury Fri, 12/28/2007 - 03:15

Sorry, I did not see rmaxson2's post and tried palomoj's suggestion and it worked straight away. Thank you so much.

I am wondering if you could suggest a couple of good books on ASA for me. I am kind of new to ASA/Firewall/IPS world with some basic knowledge of routing and switching at CCNA level.

Thanks a lot once again for your help.

srue Fri, 12/28/2007 - 09:15

the all-in-one book that palomo recommends in his first link is good. i'm using that to help me for my securitylab. and of course the documentation on CCO is great - and free - just a little hard to follow if you're new to networking or Cisco.


This Discussion