Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5520 NAT Statement Help

Hello. First time to the forum.

We are trying to get a NAT translation into our ASA/PIX 5520 for a L2L VPN connection.

Everytime I try to enter in the static (inside, outside) command, I get this error:

ERROR: access-list used in static has different local addresses

All of our current NAT translations go to our Internet IP's. This one however is for an internal translation to go down the VPN tunnel.

Can someone tell me what this error is?

Thanks in advance. - Mark

3 REPLIES
Gold

Re: ASA 5520 NAT Statement Help

we need to see the full command you're trying to enter with the static command, and the access-list that goes with it. any other nat/static statements involving these addresses would be helpful too.

New Member

Re: ASA 5520 NAT Statement Help

OK. Here is what I was trying:

static (inside,outside) 10.251.84.68 access-list Fxxx

access-list Fxxx extended permit ip host 172.25.20.12 128.x.x.x 255.255.255.0

access-list Fxxx extended permit ip host 10.64.12.71 128.x.x.x 255.255.255.0

access-list Fxxx extended permit ip host 10.64.12.72 128.x.x.x 255.255.255.0

Neither the 128.x.x.x nor the 10.251. addresses are referenced in my no-nat acl.

Thanks.

Gold

Re: ASA 5520 NAT Statement Help

you can't use the static command..you have too many source addresses...

try the following:

nat (inside) 1 access-list Fxxx

global (outside) 1 10.251.84.68

this might not have the desired affect though, if connections are initiated from the other side of the tunnel.

You really need more than just the one 10.251.84.68 address for NAT'ing these addresses across the tunnel.

172
Views
0
Helpful
3
Replies
CreatePlease to create content