Xlating 1 nside address to 2 different outsides

Unanswered Question

I have the need to NAT an inside address (DMZ acutally) to two different outside addresses- one outside address is just for internet access, the other one is a NATed address on a VPN L2L tunnel.

So I want to translate to if going through the L2L tunnel and destined to the network (tunnel terminated on outside interface), but I want it to translate to my public address if going out to internet (outside).

I've tried using access lists for the second VPN tunnel static entry but get a "duplicate static entry" message when entering the static command.

This is my scenario I tried:

I have my original "classic"

static (inside,outside) netmask

Then for my L2L tunnel:

access_list L2L extended permit ip host

static (inside,outside) access-list L2L

Then, I also put in my nat commands:

nat (dmz) 1 access-list NAT_L2L h

access-list NAT_L2L host 1 host

I have two questions:

1) Originally there was not a nat (dmz,outside) command, but statics for dmz-outside. I thought you always needed a "nat" command for an interface when translating.....

2) Proper configuration for translating same inside (or DMZ) address to two different outside IP addresses, dependent upon their destination.....


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.3 (3 ratings)
Yudong Wu Fri, 09/25/2009 - 09:57
User Badges:
  • Gold, 750 points or more

I am not sure what version you are using. If you just want to nat for host, your config should be good. Static NAT should be good enough and you don't need any "nat" command here.

static (inside,outside) netmask

static (inside,outside) access-list L2L

I tested above in 7.x version. I got "INFO: overlap with existing static" message but both commands were taken in config. ASA/PIX will check policy static NAT first, therefore, there is no conflict here.

Kureli Sankar Sat, 09/26/2009 - 05:29
User Badges:
  • Cisco Employee,

We do not support overlapping static.

This may work for outbound traffic but inbound may hit the policy static for any source IP address due to this (enhancement) defect CSCso79009.

osiristrading Sun, 09/27/2009 - 08:52
User Badges:

Bind two IPs to the server in question and set up a different NAT for each one.

That is a good idea that should work, but I'm sure the server guys would give me a dirty look :)

My other choice may be to create a new sub-interface on the dmz (with a less secure level assigned) and terminate my IPSEC tunnel there.

That way I'll have the same inside (dmz) address translated to a different address on the outside interface and a different address on the new sub-interface. Does that sound reasonable?


This Discussion