09-15-2008 12:01 AM
Hi,
We are using ASA 7.1(2). I am unable to make dynamic translation in the firewall, it prompts me with error "INFO: Global address overlaps with NAT exempt configuration".
Now I have Nat 0 configured by calling respective extended acl on specific source and destination [nat (inside) 0 access-list nonatinside] and no where there is a match to later addresses.
Can anyone pl. let me know the sequence taken by NAT translation in ASA.
Request you kind help.
Regards,
Amol
09-15-2008 02:04 AM
Amol,
Can you post your current config - as there would appear to be a config error.
HTH>
09-16-2008 10:40 AM
Hi Andrew
The problem is resolved for NAT... Now one more issue came up ie if we have an acl nonatinside for icmp permit any any in acl created for nat 0 then the inside address are not nating but as soon as we remove icmp permit acl from the nonatinside acessgroup it starts working for me.....
Can anyone help in guiding this in detail.
- Piyush(on behalf of amol)
09-16-2008 11:08 AM
post your no-nat and your static and dynamic nat statements for review?
09-17-2008 10:08 AM
nat-control
global(outside) 13 x.x.x.x netmask 255.255.255.255
nat (inside) 0 access-list nonatinside
nat (inside) 13 access-list testing
access-list testing extended permit ip object-group inside-users object-group mpls-destination
access-list nonatinside extended permit ip host 10.223.144.1 host 10.192.10.1
access-list nonatinside extended permit icmp any any echo
access-list nonatinside extended permit icmp any any echo-reply
Now the scenario is that we have 2 different locations. When 1 site comunicates with the other site the traffic shoudnt be batted as it goes through metroethernet. But when the inside user needs to access the traffic that is on internet it should be natted.
What happens is that the traffic for the internet host doesnt get natted... to get it natted i need to place a deny acl above the icmp acl in nonatinside for that particular internet destination. Which shouldnt happen as there is a default deny at the end of acl if the traffic doesnt match it should get nat to go outside internet host on mpls. But as soon as i remove the icmp acls from nonatinside acl everything works fine....
So my question is that is the icmp acl which is creating the problem. I know that icmp acl is not required in nonatinside acl but still as itss for icmp it shouldnt affect the ip traffic.
--- Piyush
09-21-2008 10:54 PM
no replies from anyone......
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide