I have recently installed an ASA5510 as our Firewall which actually replaced the old PIX. Now I am stuck with Static NATing. On the old PIX I could have multiple Static statements translating different public IP addresses to one IP address in my DMZ network. But it looks like I can not do it any more with ASA. By the way I am running ASA Version 7.0(7). I have read few posts and articles online and it seems Static Policy NAT is the answer. but I can not get it configured as I am still geting "global address overlaps with mask" error. I have to translate multiple pubic IP addresses (for example 18.104.22.168, 22.214.171.124, 126.96.36.199) to 192.168.0.201 in my DMZ. Please see the following configuration I have tried.
#access-list 101 extended permit tcp any host 188.8.131.52 eq www
#access-list 101 extended permit tcp any host 184.108.40.206 eq www
#access-list 101 extended permit tcp any host 220.127.116.11 eq https
#access-group 101 in interface Outside
#access-list sun01-1 extended permit tcp any host 192.168.0.201 eq www
#access-list sun01-2 extended permit tcp any host 192.168.0.201 eq https
Hi, here are the changes necessary to fix your problem. The problem is your static statements are defined for one to one NAT while your policy NAT ACL's match on port address translation. That's why you are getting the error message regarding "global address overlaps with mask." Your ACL's are also matching on the wrong traffic. Let me know if this makes any sense.
access-list sun01-1 permit tcp host 192.168.0.201 eq www any
access-list sun01-2 permit tcp host 192.168.0.201 eq www any
access-list sun01-3 permit tcp host 192.168.0.201 eq https any
the all-in-one book that palomo recommends in his first link is good. i'm using that to help me for my securitylab. and of course the documentation on CCO is great - and free - just a little hard to follow if you're new to networking or Cisco.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...