same host multiple NATs

Answered Question
Sep 30th, 2010

concentrator 3030...I have a local host that needs to access multiple L2L tunnels with different NAT requirements:


I currently have this NAT configured...

source 10.1.1.1/32     static NAT 134.x.x.x/32     destination ANY

I need to configure this NAT...

source 10.1.1.1/32     static NAT 10.99.17.x/32     destination 32.x.x.x/32

Is this possible?  I have tried and I get "Source and remote network address

conflict with an existing rule.  Either source or remote network address

must be changed".  Is the conflict due to the destination ANY of the pre-existing rule?

I thought that since the destination of the rule I need to add is more specific that this

should work.

Thanks for your help,  Anne

Correct Answer by Rudresh V about 6 years 4 months ago

Hi Anne,

Yes the conflict error that we see is due to the destination ANY of the pre-existing rule. Ideally we need to have more specific static statements in the static rules to have multiple nat for same source. So i would suggest we find out the remote network list for which we need the 1st translation (134.x.x.x/32 ), and apply the static rule(might need more than 1 static rule if multiple remote subnets are the case), and similarly one more for the new static we are looking for (for the destination 32.x.x.x/32 ).

Now on some of the other security appliances, we can have a workaround to our scenario, but i'm not sure if the software version running on your concentrator would support this.

Try to remove the static rule for any (1st statement) and then apply the new rule first (to 32.x.x.x/32). After this apply the original static rule (destination to any). The idea is to have more speific static rule first, and then the general (any) static rule for the rest of the destinations. I suggest you try this in a maintenance window to avoid any impact on users.

Let me know if this helps...

Cheers,


Rudresh V

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Rudresh V Sun, 10/03/2010 - 08:10

Hi Anne,

Yes the conflict error that we see is due to the destination ANY of the pre-existing rule. Ideally we need to have more specific static statements in the static rules to have multiple nat for same source. So i would suggest we find out the remote network list for which we need the 1st translation (134.x.x.x/32 ), and apply the static rule(might need more than 1 static rule if multiple remote subnets are the case), and similarly one more for the new static we are looking for (for the destination 32.x.x.x/32 ).

Now on some of the other security appliances, we can have a workaround to our scenario, but i'm not sure if the software version running on your concentrator would support this.

Try to remove the static rule for any (1st statement) and then apply the new rule first (to 32.x.x.x/32). After this apply the original static rule (destination to any). The idea is to have more speific static rule first, and then the general (any) static rule for the rest of the destinations. I suggest you try this in a maintenance window to avoid any impact on users.

Let me know if this helps...

Cheers,


Rudresh V

a.wheeler Mon, 10/04/2010 - 08:08

Thanks for your reply; this is what I suspected.  I appreciate the confirmation.

Thanks,  Anne

Rudresh V Mon, 10/04/2010 - 08:35

Hi Anne,

Can you please mark this discussion answered if you have no other queries.

Good Day,

Rudresh V

Jitendriya Athavale Sun, 10/03/2010 - 08:20

it will say that becuase you have a generic rule at the top

try the following

remove the generic existing rule

enter the more specific, new rule first

then add the generic old rule

see if this helps

Actions

This Discussion