static nat identity and static map

danilodicesare · ‎11-29-2009

Hi all,

i've got a doubt....

i have to do nat identity for a /25 but 2 addresses of that /25 must be mapped:

ex

static (inside,outside) udp 1.1.1.1 53 2.2.2.1 53 netmask 255.255.255.255

static (inside,outside) udp 1.1.1.2 53 2.2.2.2 53 netmask 255.255.255.255

static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.0

i think will work even if i've got a WARNING message like

mapped-address conflict

if i perform a show xlate i can see before first 2 entries and then third one.

do you think i'll have any issue? may you know better or more elegant way to do this?

tnx

Dani

jan.nielsen · ‎11-29-2009

Should be ok, since the first two statics are more specific than the broad network static. If it doesn't work, you could try a policy static nat instead for the two ips.

access-list hosta permit ip host 2.2.2.1 any

access-list hostb permit ip host 2.2.2.2 any

static (inside,outside) 1.1.1.1 access-list hosta

static (inside,outside) 1.1.1.2 access-list hostb

danilodicesare · ‎11-29-2009

tnx Jan,

maybe i was wrong before 'cause i wanna mean:

static (inside,outside) udp 2.2.2.1 53 1.1.1.1 53 netmask 255.255.255.255

static (inside,outside) udp 2.2.2.2 53 1.1.1.2 53 netmask 255.255.255.255

static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.0

of course your answer is the same ::)

access-list hosta permit ip host 1.1.1.1 any

access-list hostb permit ip host 1.1.1.2 any

static (inside,outside) 2.2.2.1 access-list hosta

static (inside,outside) 2.2.2.2 access-list hostb

but other question is....how can add those entries later.

so i've already got a command like

static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.0

and i have to add more specific...do i need to do 'no static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.0', add more specific entry and then add again less specific entry?

maybe there is a tricky NAT entry that i can add without removing temporarly other one.

tnx a lot

Dani

Kureli Sankar · ‎11-29-2009

Dani,

How about nat exemption with an acl and deny these two hosts from that acl and add statics for these two hosts.

Here is the nat order of operations.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042696

-KS

danilodicesare · ‎11-29-2009

hi,

must be the right way....

so if i need inside to outside untranslated and outside to inside untranslated + some static mapping il'll do:

PIX1# show running-config nat
nat (inside) 0 access-list nat_exemption --> i wanna inside host to communicate untranslated to external host
nat (outside) 0 access-list nat_exemption --> i wanna outside world to communicate untranslated to internal host

PIX1# show running-config static
static (inside,outside) 7.7.7.7 2.2.2.1 netmask 255.255.255.255 --> i wanna map real ip 2.2.2.1 with 7.7.7.7
static (inside,outside) 7.7.7.8 2.2.2.4 netmask 255.255.255.255 --> i wanna map real ip 2.2.2.4 with 7.7.7.8

PIX1# show running-config access-list
access-list all extended permit ip any any
access-list nat_exemption extended deny ip host 2.2.2.4 any
access-list nat_exemption extended deny ip host 2.2.2.1 any
access-list nat_exemption extended permit ip 2.2.2.0 255.255.255.128 any

i think is the right solution right?

tnx

Dani

Kureli Sankar · ‎11-30-2009

Dani,

We don't translate the source from low to high so, there is no need for nat (outside) 0 access-list nat_exemption. Also, nat 0 with an acl applied on the inside will allow traffic to be initiated from the outside. It is bi-directional.

Yes, this is the best way. The acl looks correct.

Good luck.

-KS