WARNING: mapped-address conflict with existing static

DialerString_2 · ‎02-05-2009

Want to say thanks in advance -thanks.

I'm trying to allow access from my guest network (inside-guest) to particular servers on my inside network. The guest network is using 192.168 network.

I'm getting the error below.

--Config already in place---

static (inside,outside) x.X.X.4 10.1.20.22 netmask 255.255.255.255

static (inside,outside) tcp x.X.X.6 www 10.1.22.1 www netmask 255.255.255.255

static (inside,outside) tcp X.X.X.6 https 10.1.22.1 https netmask 255.255.255.255

--Config I want to add---

static (inside-guest,outside) tcp X.X.X.4 www 10.1.20.22 www netmask 255.255.255.255

static (inside-guest,outside) tcp X.X.X.6 www 10.1.22.1 www netmask 255.255.255.255

static (inside-guest,outside) tcp X.X.X.6 https 10.1.22.1 https netmask 255.255.255.255

WARNING: mapped-address conflict with existing static

inside:10.1.20.22 to outside:X.X.X.4 netmask 255.255.255.255

From my understanding you can't have to static entries for the same ip address and port numbers.

What would be another solution around this? Maybe creating an Object-Group that allow only the ports

I need and applying it and to the inside-guest interface? Hmmm

pstebner10 · ‎02-05-2009

Are the servers on the inside network? According to your config, you have 3 servers on your inside network, and that is the 10.1.20.0 network. The config that you want to add is mapping between inside-guest and outside, when it looks like it should be inside-network and inside. If that is the case, you could exclude that traffic from being NATed altogether and use ACLs to restrict traffic.

HTH,

Paul

edit - I just saw that your inside-guest network is 192.168.x.x, so, use a nat(0) statement to exclude traffic from this network going toward your inside network from being natted, and use acls to restrict traffict to those servers.

pstebner10 · ‎02-05-2009

access-list 100 extended permit tcp 192.168.x.y 255.255.255.0 host 10.1.20.x eq www

etc...

nat (inside-guest) 0 access-list 100

DialerString_2 · ‎02-05-2009

Ahh, This is what I have now.

global (outside) 1 x.x.x.5

nat (inside-guest) 1 192.168.100.0 255.255.255.0

pstebner10 · ‎02-05-2009

That should stay in place. That allows all addresses from your inside-guest network to be PATed to your external interface address, thus allowing internet access. Just add the nat(0) command from above to exclude traffic from being NATed when going to the Inside network.

HTH,

Paul

DialerString_2 · ‎02-05-2009

nat (inside) 0 access-list 90

access-list 90 extended permit ip any 192.168.0.0 255.255.0.0

this is the one i have now, would it do the same???

pstebner10 · ‎02-05-2009

That access-list will allow trafic to go un-NATed from your inside network to your inside-guest network. The one I posted earlier is also necessary, as this will allow traffic sourced from your inside-guest network to bypass NAT and go to the servers on your inside network.

If the users on the inside-guest network are to only access the 3 servers that you had mentioned, you will need three lines in your ACL - One for each server.

HTH,

Paul

DialerString_2 · ‎02-05-2009

I got it, thanks to you!!! I've been busting my brains with the nat 0 command all day and it only sends the real ip address i.e 192.168.100.X to a server's real ip address 10.1.20.X. No xlate is involved so - basically it simulates a router with an s0/0/0(public) interface that needs to pass traffic to F0/0(pvt) interface by using static routes and ACLs.