09-25-2009 05:46 AM - edited 03-11-2019 09:19 AM
I have the need to NAT an inside address (DMZ acutally) to two different outside addresses- one outside address is just for internet access, the other one is a NATed address on a VPN L2L tunnel.
So I want 10.10.10.1 to translate to 192.168.1.1 if going through the L2L tunnel and destined to the 172.16.0.0 network (tunnel terminated on outside interface), but I want it to translate to my public address 64.0.0.0 if going out to internet (outside).
I've tried using access lists for the second VPN tunnel static entry but get a "duplicate static entry" message when entering the static command.
This is my scenario I tried:
I have my original "classic"
static (inside,outside) 64.1.1.1 10.1.1.1 netmask 255.255.255.255
Then for my L2L tunnel:
access_list L2L extended permit ip host 10.1.1.1 172.16.1.1
static (inside,outside) 192.168.1.1 access-list L2L
Then, I also put in my nat commands:
nat (dmz) 1 access-list NAT_L2L h
access-list NAT_L2L host 10.1.1.1 1 host 172.16.1.1
I have two questions:
1) Originally there was not a nat (dmz,outside) command, but statics for dmz-outside. I thought you always needed a "nat" command for an interface when translating.....
2) Proper configuration for translating same inside (or DMZ) address to two different outside IP addresses, dependent upon their destination.....
THANKS!!!!
09-25-2009 09:57 AM
I am not sure what version you are using. If you just want to nat for host 10.1.1.1, your config should be good. Static NAT should be good enough and you don't need any "nat" command here.
static (inside,outside) 64.1.1.1 10.1.1.1 netmask 255.255.255.255
static (inside,outside) 192.168.1.1 access-list L2L
I tested above in 7.x version. I got "INFO: overlap with existing static" message but both commands were taken in config. ASA/PIX will check policy static NAT first, therefore, there is no conflict here.
09-26-2009 05:29 AM
We do not support overlapping static.
This may work for outbound traffic but inbound may hit the policy static for any source IP address due to this (enhancement) defect CSCso79009.
09-27-2009 08:52 AM
Bind two IPs to the server in question and set up a different NAT for each one.
09-28-2009 07:51 AM
That is a good idea that should work, but I'm sure the server guys would give me a dirty look :)
My other choice may be to create a new sub-interface on the dmz (with a less secure level assigned) and terminate my IPSEC tunnel there.
That way I'll have the same inside (dmz) address translated to a different address on the outside interface and a different address on the new sub-interface. Does that sound reasonable?
09-28-2009 07:47 AM
Thank you both....I am running 8.0(4)-38.
The static only seems to work for the first installed static command. If I remove both statics and re-enter in the opposite order, the other static works (for inbound).
I'll look into that enhancement # you supplied.....
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: