Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

static NAT rule overlap

I have few different connections coming in to different real IPs and\or protocols, all with same inside destination (same windows machine).

I've set a security policy rule for each of them to permit inbound traffic on the outside interface.

when I try to create the static route pointing the traffic off the ASA via the inside interface to the actual server I'm rejected since teh destination (the internal IP) overlap from one static to another

how do I solve this problem?

6 REPLIES

Re: static NAT rule overlap

Hello Ofir,

I couldnt understand why you need a route, please paste the acls, statics and routes you entered so we can understand your issue in depth.

Regards

New Member

Re: static NAT rule overlap

take this example:

access-list Inbound_Traffic extended permit tcp any host 63.x.y.100 eq smtp

access-list Inbound_Traffic extended permit tcp any host 63.x.y.101 range 2710 2715

access-list Inbound_Traffic extended permit tcp any host 63.x.y.102 range 2710 2715

access-list Inbound_Traffic extended permit tcp any host 63.x.y.103 eq https

access-list Inbound_Traffic extended permit tcp any host 63.x.y.101 eq https

access-list Inbound_Traffic extended permit tcp any host 63.x.y.104 eq www

63.x.y.101 & 63.x.y.102 are different real world IP that point to the same internal IP (192.168.1.1)

when I try to config the NAT inside - pointing 63.63.x.y.101 to 192.168.1.1 and then do the same with 63.x.y.102, I get an error

Green

Re: static NAT rule overlap

You cannot do that.

You need to do something like this...

static (inside,outside) tcp 63.x.y.101 https 192.168.1.1 https netmask 255.255.255.255

static (inside,outside) tcp 63.x.y.102 2710 192.168.1.1 2710 netmask 255.255.255.255

etc.

New Member

Re: static NAT rule overlap

yeh, but there is the problem - when you do just that but use the same protocol & destination combination, you get an error

Re: static NAT rule overlap

create an alias for 192.168.1.1 and use it for duplicated entry

New Member

Hi, I'm having the same

Hi,

 

I'm having the same problem. How exactly do you use an alias for the duplicate? Can you guide us please on you configs for that? Thanks

503
Views
0
Helpful
6
Replies