Unable to PAT

Unanswered Question
Sep 15th, 2008
User Badges:


We are using ASA 7.1(2). I am unable to make dynamic translation in the firewall, it prompts me with error "INFO: Global address overlaps with NAT exempt configuration".

Now I have Nat 0 configured by calling respective extended acl on specific source and destination [nat (inside) 0 access-list nonatinside] and no where there is a match to later addresses.

Can anyone pl. let me know the sequence taken by NAT translation in ASA.

Request you kind help.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
piyush_singh Tue, 09/16/2008 - 10:40
User Badges:

Hi Andrew

The problem is resolved for NAT... Now one more issue came up ie if we have an acl nonatinside for icmp permit any any in acl created for nat 0 then the inside address are not nating but as soon as we remove icmp permit acl from the nonatinside acessgroup it starts working for me.....

Can anyone help in guiding this in detail.

- Piyush(on behalf of amol)

piyush_singh Wed, 09/17/2008 - 10:08
User Badges:


global(outside) 13 x.x.x.x netmask

nat (inside) 0 access-list nonatinside

nat (inside) 13 access-list testing

access-list testing extended permit ip object-group inside-users object-group mpls-destination

access-list nonatinside extended permit ip host host

access-list nonatinside extended permit icmp any any echo

access-list nonatinside extended permit icmp any any echo-reply

Now the scenario is that we have 2 different locations. When 1 site comunicates with the other site the traffic shoudnt be batted as it goes through metroethernet. But when the inside user needs to access the traffic that is on internet it should be natted.

What happens is that the traffic for the internet host doesnt get natted... to get it natted i need to place a deny acl above the icmp acl in nonatinside for that particular internet destination. Which shouldnt happen as there is a default deny at the end of acl if the traffic doesnt match it should get nat to go outside internet host on mpls. But as soon as i remove the icmp acls from nonatinside acl everything works fine....

So my question is that is the icmp acl which is creating the problem. I know that icmp acl is not required in nonatinside acl but still as itss for icmp it shouldnt affect the ip traffic.

--- Piyush


This Discussion