Overlapping with static NAT configuration

gcocchi · ‎05-04-2006

Hi all.

I have 2 pix 525 (7.1.2) and i need to setup a very complex configuration about NAT. I explain better the problem.

My internal networks, for example 192.168.1.0/24 192.168.2.0/24 192.168.5.0/24 192.168.4.0/24, need to reach 2 DMZ (192.168.100.0/24 and 192.168.200.0/24) through this 2 pix 525. I need very complex NAT configuration with many static nat, dynamic nat, identity nat and nat per destination.

For example all internal networks 192.168.1.0/24 must reach 192.168.200.1 with PAT and this is ok and works correctly no problem (global 192.168.200.244).

Network 192.168.100.0/24 must reach 192.168.2.1 with static identity policy nat and 192.168.2.2 with static policy nat (xlate with 192.168.100.244). I configured this correclty and works.

The problem is when i need to configure some or all inside networks to reach some ip on 2 dmz with identity nat.

For example 192.168.1.0/24 192.168.2.0/24 must reach 192.168.200.6 and 192.168.3.0/24 192.168.4.0/24 reach 192.168.100.9 all without nat.

So i configured nat exemption wth access-list to permit identity translation form internal nets to hosts on dmz.

But i receive an error: "INFO: Outside address overlap with static NAT configuration".

The problem is that configured static policy nat include ip address like 192.168.2.1 that overlap with nat exemption. If i configure identity nat on 192.168.2.1 no error is reported. So i think that nat exemption and identity nat works

on separate processes ... but i don't know.

Can you give me an advice to resolve this problem of overlapping nat?

I need more and more flexibility because many clients connect to servers per destination with nat or identity nat.

Thx.

Fernando_Meza · ‎05-04-2006

Hi it would help if you post your config and a brief summary of what you need .. i.e

1.- from subnet .xx.x. to subnet x.x.x (PAT )

2.- from subnet x.x.x.x to subnet/hosts x.x.x.x ( NO NAT )

3.- from subnet/host x.x.x.x to subnet/host x.x.x.x (static ) .. etc

Would you be able to elaborate thisand I can have a look at it over the weekend

gcocchi · ‎05-04-2006

Yes ok. I post a very simple example of what i try to obtain.

A)On DMZ1 (192.168.100.0/24) a client need to reach 192.168.2.1 on inside whitout nat

B)On DMZ1 (192.168.100.0/24) a client need to reach 192.168.2.2 on inside with a translated address (xlate 192.168.100.100)

C)On DMZ2 (192.168.200.0/24) a client need to reach 192.168.2.3 on inside without nat

D)On DMZ2 (192.168.200.0/24) a client need to reach 192.168.2.4 on inside with a translated address (xlate 192.168.200.100)

E)On inside (192.168.2.0/24), clients need to reach 192.168.200.244 with nat (xlate 192.168.200.1)

F)On inside (192.168.2.0/24), clients need to reach 192.168.100.244 without nat

So the configuration is:

A) STATIC IDENTITY POLICY NAT

access-list DEST-A extended permit ip host 192.168.2.1 host 192.168.100.34

static (inside,dmz1) 192.168.2.1 access-list DEST-A

B) STATIC POLICY NAT

access-list DEST-B extended permit ip host 192.168.2.2 host 192.168.100.44

static (inside,dmz1) 192.168.100.100 access-list DEST-B

C) STATIC IDENTITY POLICY NAT

access-list DEST-C extended permit ip host 192.168.2.3 host 192.168.200.34

static (inside,dmz2) 192.168.2.3 access-list DEST-C

D) STATIC POLICY NAT

access-list DEST-C extended permit ip host 192.168.2.4 host 192.168.200.44

static (inside,dmz2) 192.168.200.100 access-list DEST-D

E) PAT

access-list DEST-E extended permit ip 192.168.2.0 255.255.255.0 host 192.168.200.244

nat (inside) 1 access-list DEST-E

global (dmz2) 1 192.168.200.1 netmask 255.255.255.255

F) NAT EXEMPTION

access-list DEST-F extended permit ip 192.168.2.0 255.255.255.0 host 192.168.100.244

nat (inside) 0 access-list DEST-F

Result:

When i setup NAT EXEMPTION on (F) pix console list me an INFO message: "INFO: Outside address overlap with static NAT configuration".

I think this message is only a warning because the configuration is accepted anyway, but i don't know if it will work correctly.

I need an advice to avoi this averlapping using the configuration example i give to you.

Thx.