Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Xlating 1 nside address to 2 different outsides

I have the need to NAT an inside address (DMZ acutally) to two different outside addresses- one outside address is just for internet access, the other one is a NATed address on a VPN L2L tunnel.

So I want 10.10.10.1 to translate to 192.168.1.1 if going through the L2L tunnel and destined to the 172.16.0.0 network (tunnel terminated on outside interface), but I want it to translate to my public address 64.0.0.0 if going out to internet (outside).

I've tried using access lists for the second VPN tunnel static entry but get a "duplicate static entry" message when entering the static command.

This is my scenario I tried:

I have my original "classic"

static (inside,outside) 64.1.1.1 10.1.1.1 netmask 255.255.255.255

Then for my L2L tunnel:

access_list L2L extended permit ip host 10.1.1.1 172.16.1.1

static (inside,outside) 192.168.1.1 access-list L2L

Then, I also put in my nat commands:

nat (dmz) 1 access-list NAT_L2L h

access-list NAT_L2L host 10.1.1.1 1 host 172.16.1.1

I have two questions:

1) Originally there was not a nat (dmz,outside) command, but statics for dmz-outside. I thought you always needed a "nat" command for an interface when translating.....

2) Proper configuration for translating same inside (or DMZ) address to two different outside IP addresses, dependent upon their destination.....

THANKS!!!!

5 REPLIES

Re: Xlating 1 nside address to 2 different outsides

I am not sure what version you are using. If you just want to nat for host 10.1.1.1, your config should be good. Static NAT should be good enough and you don't need any "nat" command here.

static (inside,outside) 64.1.1.1 10.1.1.1 netmask 255.255.255.255

static (inside,outside) 192.168.1.1 access-list L2L

I tested above in 7.x version. I got "INFO: overlap with existing static" message but both commands were taken in config. ASA/PIX will check policy static NAT first, therefore, there is no conflict here.

Cisco Employee

Re: Xlating 1 nside address to 2 different outsides

We do not support overlapping static.

This may work for outbound traffic but inbound may hit the policy static for any source IP address due to this (enhancement) defect CSCso79009.

Community Member

Re: Xlating 1 nside address to 2 different outsides

Bind two IPs to the server in question and set up a different NAT for each one.

Community Member

Re: Xlating 1 nside address to 2 different outsides

That is a good idea that should work, but I'm sure the server guys would give me a dirty look :)

My other choice may be to create a new sub-interface on the dmz (with a less secure level assigned) and terminate my IPSEC tunnel there.

That way I'll have the same inside (dmz) address translated to a different address on the outside interface and a different address on the new sub-interface. Does that sound reasonable?

Community Member

Re: Xlating 1 nside address to 2 different outsides

Thank you both....I am running 8.0(4)-38.

The static only seems to work for the first installed static command. If I remove both statics and re-enter in the opposite order, the other static works (for inbound).

I'll look into that enhancement # you supplied.....

167
Views
10
Helpful
5
Replies
CreatePlease to create content