Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
5
Replies

Unable to PAT

rush2amol
Level 1
Level 1

‎09-15-2008 12:01 AM

Hi,

We are using ASA 7.1(2). I am unable to make dynamic translation in the firewall, it prompts me with error "INFO: Global address overlaps with NAT exempt configuration".

Now I have Nat 0 configured by calling respective extended acl on specific source and destination [nat (inside) 0 access-list nonatinside] and no where there is a match to later addresses.

Can anyone pl. let me know the sequence taken by NAT translation in ASA.

Request you kind help.

Regards,

Amol

Labels:
0 Helpful
5 Replies 5

andrew.prince
Level 10
Level 10

‎09-15-2008 02:04 AM

Amol,

Can you post your current config - as there would appear to be a config error.

HTH>

0 Helpful

piyush_singh
Level 1
Level 1
In response to andrew.prince

‎09-16-2008 10:40 AM

Hi Andrew

The problem is resolved for NAT... Now one more issue came up ie if we have an acl nonatinside for icmp permit any any in acl created for nat 0 then the inside address are not nating but as soon as we remove icmp permit acl from the nonatinside acessgroup it starts working for me.....

Can anyone help in guiding this in detail.

- Piyush(on behalf of amol)

0 Helpful

andrew.prince
Level 10
Level 10
In response to piyush_singh

‎09-16-2008 11:08 AM

post your no-nat and your static and dynamic nat statements for review?

0 Helpful

piyush_singh
Level 1
Level 1
In response to andrew.prince

‎09-17-2008 10:08 AM

nat-control

global(outside) 13 x.x.x.x netmask 255.255.255.255

nat (inside) 0 access-list nonatinside

nat (inside) 13 access-list testing

access-list testing extended permit ip object-group inside-users object-group mpls-destination

access-list nonatinside extended permit ip host 10.223.144.1 host 10.192.10.1

access-list nonatinside extended permit icmp any any echo

access-list nonatinside extended permit icmp any any echo-reply

Now the scenario is that we have 2 different locations. When 1 site comunicates with the other site the traffic shoudnt be batted as it goes through metroethernet. But when the inside user needs to access the traffic that is on internet it should be natted.

What happens is that the traffic for the internet host doesnt get natted... to get it natted i need to place a deny acl above the icmp acl in nonatinside for that particular internet destination. Which shouldnt happen as there is a default deny at the end of acl if the traffic doesnt match it should get nat to go outside internet host on mpls. But as soon as i remove the icmp acls from nonatinside acl everything works fine....

So my question is that is the icmp acl which is creating the problem. I know that icmp acl is not required in nonatinside acl but still as itss for icmp it shouldnt affect the ip traffic.

--- Piyush

0 Helpful

piyush_singh
Level 1
Level 1
In response to piyush_singh

‎09-21-2008 10:54 PM

no replies from anyone......

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents