Xlating 1 nside address to 2 different outsides

Unanswered Question

I have the need to NAT an inside address (DMZ acutally) to two different outside addresses- one outside address is just for internet access, the other one is a NATed address on a VPN L2L tunnel.

So I want 10.10.10.1 to translate to 192.168.1.1 if going through the L2L tunnel and destined to the 172.16.0.0 network (tunnel terminated on outside interface), but I want it to translate to my public address 64.0.0.0 if going out to internet (outside).

I've tried using access lists for the second VPN tunnel static entry but get a "duplicate static entry" message when entering the static command.

This is my scenario I tried:

I have my original "classic"

static (inside,outside) 64.1.1.1 10.1.1.1 netmask 255.255.255.255

Then for my L2L tunnel:

access_list L2L extended permit ip host 10.1.1.1 172.16.1.1

static (inside,outside) 192.168.1.1 access-list L2L

Then, I also put in my nat commands:

nat (dmz) 1 access-list NAT_L2L h

access-list NAT_L2L host 10.1.1.1 1 host 172.16.1.1

I have two questions:

1) Originally there was not a nat (dmz,outside) command, but statics for dmz-outside. I thought you always needed a "nat" command for an interface when translating.....

2) Proper configuration for translating same inside (or DMZ) address to two different outside IP addresses, dependent upon their destination.....

THANKS!!!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.3 (3 ratings)
Loading.
Yudong Wu Fri, 09/25/2009 - 09:57

I am not sure what version you are using. If you just want to nat for host 10.1.1.1, your config should be good. Static NAT should be good enough and you don't need any "nat" command here.

static (inside,outside) 64.1.1.1 10.1.1.1 netmask 255.255.255.255

static (inside,outside) 192.168.1.1 access-list L2L

I tested above in 7.x version. I got "INFO: overlap with existing static" message but both commands were taken in config. ASA/PIX will check policy static NAT first, therefore, there is no conflict here.

Kureli Sankar Sat, 09/26/2009 - 05:29

We do not support overlapping static.

This may work for outbound traffic but inbound may hit the policy static for any source IP address due to this (enhancement) defect CSCso79009.

osiristrading Sun, 09/27/2009 - 08:52

Bind two IPs to the server in question and set up a different NAT for each one.

That is a good idea that should work, but I'm sure the server guys would give me a dirty look :)

My other choice may be to create a new sub-interface on the dmz (with a less secure level assigned) and terminate my IPSEC tunnel there.

That way I'll have the same inside (dmz) address translated to a different address on the outside interface and a different address on the new sub-interface. Does that sound reasonable?

Actions

This Discussion