Static Policy NAT / Dynamic Policy NAT Conundrum

Unanswered Question
Jan 1st, 2010

It seems that when using the ACL in combination with the static translation statement (amounting to static policy NAT),  the number of "real" addresses to be translated (as specified in the ACL) needs to equal to the number of addresses used for translation (which is only 1 address).

For example, my Cisco ASA 5505 took gave no errors when I entered the following:


Static Policy Nat - Accepted by ASA w/ no errors - (1 to 1 mapping of 1 real address to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit ip host 172.16.0.2 host 74.125.45.105

static (inside,outside) 192.168.1.253  access-list staticPOLICYnat

The above policy static nat translates the real source address of 172.16.0.2 to 192.168.1.253 when 172.16.0.2 attempts connections to 74.125.45.105

Notice that there is a 1 to 1 mapping of the "real" address of 172.16.0.2 to the mapped address of 192.168.1.253.

However, in the past I also wondered if I could translate more than one real addresses and map them to one global address using the ACL and static nat combo (which amounts to static policy nat).  But I have not been able to get that to work.  For example, entering the following provided me with the "global address overlaps with mask" error.

Static Policy Nat - Rejected By ASA w/ error of "global address overlaps with mask" - (many to 1 mapping of multiple real addresses to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit ip any host 74.125.45.105

static (inside,outside) 192.168.1.253  access-list staticPOLICYnat

The above configuration was rejected by my ASA 5505 with an error of "global address overlaps with mask"

In my experience, it is, however, possible to use dynamic policy NAT (instead of static policy NAT) to translate multiple "real" ip addresses to a single mapped/translated address.

Dynamic Policy Nat - Accepted by ASA w/ no errors - (many to 1 mapping of multiple real addresses to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit tcp any host 74.125.45.105

nat (inside) 2 access-list staticPOLICYnat

global (outside) 2 192.168.1.253

Being able to translate multiple source/real addresses to a single mapped/translated address can be useful in the following situation:

Distant end firewalls need a consistent IP address (instead of allowing your site's entire range) from your site when your users access the distant site's services.  This is beneficial in that one would not need to configure static ip addresses just so that the other site's firewall allows the clients to traverse into their network.

If anyone knows how to translate or map multiple IP addresses to a single IP address using STATIC POLICY NAT, please do share.

Best Regards,

David

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jerry Ye Sat, 01/02/2010 - 10:41

This is not possible. When translating multiple REAL addresses via Static Policy NAT, the ASA is substituting the network bit of the REAL address, this is part of the requirement where the network mask needs to be matched when configuring the ACL and the MAPPED address for Static Policy NAT.

I have customer doing something similar to this and it is working for them, however, this is not a ONE-to-MANY mapping.

static (outside,inside) 10.254.0.0  access-list NET-172_27

access-list NET-172_27 extended permit ip 172.27.0.0 255.255.0.0 10.10.10.0 255.255.255.0

As you can see, NET-172_27 is matching the source addresses of 172.27.0.0/16  to destination hosts on 10.10.10.0/24 network. The NAT policy is allowing the network bit of the address to be translated to 10.254.0.0/16, where the network mask is the same (/16).

HTH,

jerry

yuchenglai Mon, 01/04/2010 - 06:18

I agree with you completely on the fact that the number of addresses in the source portion of the ACL needs to match the number mapped address(es) in the Static Policy NAT statement.

However, an example from page 15-13 (303) of Cisco's FWSM ver 4.0 config guide seems to contradict our theory:

hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0 255.255.255.224
hostname(config)# static (inside,outside) 209.165.202.129 access-list NET1

Actions

This Discussion

Related Content