Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

policy static nat question / Error in Cisco's configuration guide?

I implemented a policy static nat identical to the following example that is listed in page 12-13 of the Firewall Services Module config guide.

hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0 255.255.255.224

hostname(config)# static (inside,outside) 209.165.202.129 access-list NET1

However, I get the following error message when I enter my similar configuration into my firewall:

global address overlaps with mask

Usage: [no] static [(real_ifc, mapped_ifc)]

{<mapped_ip>|interface}

{<real_ip> [netmask <mask>]} | {access-list <acl_name>}

[dns]

[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]

[udp <max_conns>]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{<mapped_ip>|interface} <mapped_port>

{<real_ip> <real_port> [netmask <mask>]} |

{access-list <acl_name>}

[dns]

[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]

[udp <max_conns>]

show running-config [all] static [<mapped_ip>]

clear configure static

6 REPLIES
Community Member

Re: policy static nat question / Error in Cisco's configuration

I also receive the following error:

ERROR: access-list used in static has different local addresses

Community Member

Re: policy static nat question / Error in Cisco's configuration

I guess what i'm trying to accomplish is trying to do PAT overload on Policy Static NAT

Hall of Fame Super Blue

Re: policy static nat question / Error in Cisco's configuration

Try

hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0 255.255.255.224

hostname(config)# nat (inside) 2 access-list NET1

hostname(config)# global (outside) 2 209.165.202.129

The above is assuming that

1) 10.1.2.0/24 is on the inside

2) 209.165.201/0/24 is reachable via the outside address

3) You want to PAT all 10.1.2.x addresses to 209.165.202.129 when the destination IP addresses are in the range 209.165.201.0/24

Jon

Cisco Employee

Re: policy static nat question / Error in Cisco's configuration

To further answer your initial question, the 'global address overlaps with mask' command, these types of error messages imply that you are trying to NAT a high number of hosts to an unequal number of IP addresses. In this case, the original access-list leverages an access-list containing 30 possible host IP addresses which must map to a single given IP address.

Community Member

Re: policy static nat question / Error in Cisco's configuration

That is correct.

I have been trying to NAT more than one address to a single address by using static policy NAT.

access-list FOR_XLATE extended permit ip host x any

access-list FOR_XLATE extended permit ip host y any

static (inside,outside) a.a.a.a access-list FOR_XLATE

When I enter the above configurations into my FWSM, I now get the following error:

ERROR: access-list used in static has different local addresses

I do not get the above error when the configuration I enter config to NAT one address to one IP address.

access-list FOR_XLATE extended permit ip host x any

static (inside,outside) a.a.a.a access-list FOR_XLATE

That is all fine and good, but the above behavior for the two configurations on my FWSM seems to contradict page 12-13 of the FWSM config guide which provided an example that implies it's possible to NAT more than one address to a single address using Policy Static NAT.

What could be going on?

Community Member

For the above scenario what I

For the above scenario what I think you are trying to do is to configure static NAT for two different IP host (x and y) to a single mapped IP (a.a.a.a) and you are getting below error.

ERROR: access-list used in static has different local addresses

Firewall is intelligent enough to tell us that this setup will not work since static NAT is bi-directional. 

For ex: if client on external network tries to access our mapped IP (a.a.a.a), firewall cannot UN-NAT to two different internal IP (x and y) hence it does not allow us to configure with two different IP to single IP address in the first place.

If you try the same configuration with single network in acl to a mapped IP you will not have any error.

Extract from cisco site

 http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_overview.html

For policy static NAT (and for NAT exemption, which also uses an access list to identify traffic), you can initiate traffic to and from the real host. However, the destination address in the access list is only used for traffic initiated by the real host. For traffic to the real host from the destination network, the source address is not checked, and the first matching NAT rule for the real host address is used. So if you configure static policy NAT such as the following:

 hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0 255.255.255.224

 hostname(config)# static (inside,outside) 209.165.202.128 access-list NET1

Then when hosts on the 10.1.2.0/27 network access 209.165.201.0/24, they are translated to corresponding addresses on the 209.165.202.128/27 network. But any host on the outside can access the mapped addresses 209.165.202.128/27, and not just hosts on the 209.165.201.0/24 network.

For the same reason (the source address is not checked for traffic to the real host), you cannot use policy static NAT to translate different real addresses to the same mapped address. For example, two inside hosts, 10.1.1.1 and 10.1.1.2, that you want to be translated to 209.165.200.225. When outside host 209.165.201.1 connects to 209.165.200.225, then the connection goes to 10.1.1.1. When outside host 209.165.201.2 connects to the same mapped address, 209.165.200.225, you want the connection to go to 10.1.1.2. However, because the destination address in the access list is not checked for traffic to the real host, then the first ACE that matches the real host is used. Since the first ACE is for 10.1.1.1, then all inbound connections sourced from 209.165.201.1 and 209.165.201.2 and destined to 209.165.200.255 will have their destination address translated to 10.1.1.1.

3094
Views
0
Helpful
6
Replies
CreatePlease to create content