WARNING: mapped-address conflict with existing static

Unanswered Question
Feb 5th, 2009

Want to say thanks in advance -thanks.

I'm trying to allow access from my guest network (inside-guest) to particular servers on my inside network. The guest network is using 192.168 network.

I'm getting the error below.

--Config already in place---

static (inside,outside) x.X.X.4 netmask

static (inside,outside) tcp x.X.X.6 www www netmask

static (inside,outside) tcp X.X.X.6 https https netmask

--Config I want to add---

static (inside-guest,outside) tcp X.X.X.4 www www netmask

static (inside-guest,outside) tcp X.X.X.6 www www netmask

static (inside-guest,outside) tcp X.X.X.6 https https netmask

WARNING: mapped-address conflict with existing static

inside: to outside:X.X.X.4 netmask

From my understanding you can't have to static entries for the same ip address and port numbers.

What would be another solution around this? Maybe creating an Object-Group that allow only the ports

I need and applying it and to the inside-guest interface? Hmmm

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pstebner10 Thu, 02/05/2009 - 10:24

Are the servers on the inside network? According to your config, you have 3 servers on your inside network, and that is the network. The config that you want to add is mapping between inside-guest and outside, when it looks like it should be inside-network and inside. If that is the case, you could exclude that traffic from being NATed altogether and use ACLs to restrict traffic.



edit - I just saw that your inside-guest network is 192.168.x.x, so, use a nat(0) statement to exclude traffic from this network going toward your inside network from being natted, and use acls to restrict traffict to those servers.

pstebner10 Thu, 02/05/2009 - 10:29

access-list 100 extended permit tcp 192.168.x.y host 10.1.20.x eq www


nat (inside-guest) 0 access-list 100

DialerString_2 Thu, 02/05/2009 - 10:36

Ahh, This is what I have now.

global (outside) 1 x.x.x.5

nat (inside-guest) 1

pstebner10 Thu, 02/05/2009 - 10:41

That should stay in place. That allows all addresses from your inside-guest network to be PATed to your external interface address, thus allowing internet access. Just add the nat(0) command from above to exclude traffic from being NATed when going to the Inside network.



DialerString_2 Thu, 02/05/2009 - 13:56

nat (inside) 0 access-list 90

access-list 90 extended permit ip any

this is the one i have now, would it do the same???

pstebner10 Thu, 02/05/2009 - 14:10

That access-list will allow trafic to go un-NATed from your inside network to your inside-guest network. The one I posted earlier is also necessary, as this will allow traffic sourced from your inside-guest network to bypass NAT and go to the servers on your inside network.

If the users on the inside-guest network are to only access the 3 servers that you had mentioned, you will need three lines in your ACL - One for each server.



DialerString_2 Thu, 02/05/2009 - 14:36

I got it, thanks to you!!! I've been busting my brains with the nat 0 command all day and it only sends the real ip address i.e 192.168.100.X to a server's real ip address 10.1.20.X. No xlate is involved so - basically it simulates a router with an s0/0/0(public) interface that needs to pass traffic to F0/0(pvt) interface by using static routes and ACLs.


This Discussion