It seems that when using the ACL in combination with the static translation statement (amounting to static policy NAT), the number of "real" addresses to be translated (as specified in the ACL) needs to equal to the number of addresses used for translation (which is only 1 address).
For example, my Cisco ASA 5505 took gave no errors when I entered the following:
Static Policy Nat - Accepted by ASA w/ no errors - (1 to 1 mapping of 1 real address to 1 mapped address)
access-list staticPOLICYnat line 1 extended permit ip host 172.16.0.2 host 184.108.40.206
The above policy static nat translates the real source address of 172.16.0.2 to 192.168.1.253 when 172.16.0.2 attempts connections to 220.127.116.11
Notice that there is a 1 to 1 mapping of the "real" address of 172.16.0.2 to the mapped address of 192.168.1.253.
However, in the past I also wondered if I could translate more than one real addresses and map them to one global address using the ACL and static nat combo (which amounts to static policy nat). But I have not been able to get that to work. For example, entering the following provided me with the "global address overlaps with mask" error.
Static Policy Nat - Rejected By ASA w/ error of "global address overlaps with mask" - (many to 1 mapping of multiple real addresses to 1 mapped address)
access-list staticPOLICYnat line 1 extended permit ip any host 18.104.22.168
The above configuration was rejected by my ASA 5505 with an error of "global address overlaps with mask"
In my experience, it is, however, possible to use dynamic policy NAT (instead of static policy NAT) to translate multiple "real" ip addresses to a single mapped/translated address.
Dynamic Policy Nat - Accepted by ASA w/ no errors - (many to 1 mapping of multiple real addresses to 1 mapped address)
access-list staticPOLICYnat line 1 extended permit tcp any host 22.214.171.124
nat (inside) 2 access-list staticPOLICYnat
global (outside) 2 192.168.1.253
Being able to translate multiple source/real addresses to a single mapped/translated address can be useful in the following situation:
Distant end firewalls need a consistent IP address (instead of allowing your site's entire range) from your site when your users access the distant site's services. This is beneficial in that one would not need to configure static ip addresses just so that the other site's firewall allows the clients to traverse into their network.
If anyone knows how to translate or map multiple IP addresses to a single IP address using STATIC POLICY NAT, please do share.
This is not possible. When translating multiple REAL addresses via Static Policy NAT, the ASA is substituting the network bit of the REAL address, this is part of the requirement where the network mask needs to be matched when configuring the ACL and the MAPPED address for Static Policy NAT.
I have customer doing something similar to this and it is working for them, however, this is not a ONE-to-MANY mapping.
access-list NET-172_27 extended permit ip 172.27.0.0 255.255.0.0 10.10.10.0 255.255.255.0
As you can see, NET-172_27 is matching the source addresses of 172.27.0.0/16 to destination hosts on 10.10.10.0/24 network. The NAT policy is allowing the network bit of the address to be translated to 10.254.0.0/16, where the network mask is the same (/16).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...