Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Another set of eyes on NAT

I'm trying to configure an ASA5510 and when I add this: static (INSIDE,DMZ1) 10.3.200.2 10.3.0.2 netmask 255.255.255.255

I get this:

INFO: Global address overlaps with NAT exempt configuration.

I don't see the overlap. I have attached the running config for review.

14 REPLIES

Re: Another set of eyes on NAT

You do have a overlap...

If you have a packet source from inside(10.3.0.2) to DMZ1 (10.3.100.*). You qualify for your stactic statement and your

access-list REMOTE_ACCESS_NAT extended permit ip any 10.3.100.0 255.255.255.0

New Member

Re: Another set of eyes on NAT

Ahh but the DMZ is 10.3.200.*/24 not 10.3.100.*

and the remote access VPN ACL has a 10.3.100.0/24

See my dilemma? These are sperate networks techincaly, but it says they overlap..

New Member

Re: Another set of eyes on NAT

technically (misspelled it)

Re: Another set of eyes on NAT

Ho, I understand now

.

If I try to simplify the issue, your static statement are simple enought and are not the problem. This leave a conflict between them and the nat 0. If I was in your place, I think I would try changing it to

access-list REMOTE_ACCESS_NAT extended permit ip 10.3.100.0 255.255.255.0 10.3.0.2 255.255.X.X

+ 1 other line for the DMZ1.

If this does not work, I'll be out of ideas.

New Member

Re: Another set of eyes on NAT

Thanks, but could you put it in the proper syntax? I don't think I understand?

New Member

Re: Another set of eyes on NAT

Here is the latest config. I even stopped using a zero subnet and I'm still getting this when I apply the static statement.

INFO: Global address overlaps with NAT exempt configuration

New Member

Re: Another set of eyes on NAT

Could this be a bug? I don't see an overlap.

Re: Another set of eyes on NAT

Hi ... Can you try changing the below :

global (DMZ1) 1 10.3.200.11-10.3.200.20

to

global (DMZ1) 2 10.3.200.11-10.3.200.20

and adding

nat (inside) 2 0.0.0.0 0.0.0.0

New Member

Re: Another set of eyes on NAT

Sorry for the slow reponse, I had to go out of town. After changing the global statement and I add the "nat (inside) 2 0.0.0.0 0.0.0.0" I get "Duplicate NAT entry".

Re: Another set of eyes on NAT

Hi .. can you try this

access-list testing permit ip any any

no global (DMZ1) 1 10.3.200.11-10.3.200.20

global (DMZ1) 2 10.3.200.11-10.3.200.20

clear xlate

and then adding

nat (inside) 2 access-list testing

New Member

Re: Another set of eyes on NAT

I created this access-list:

access-list testing permit ip any any

then I performed your changes without error, is there a way to do it with out policy based natting?

Re: Another set of eyes on NAT

for some reason it doe snot like to have the same entry on a nat even thought you use a differenet nat id.

New Member

Re: Another set of eyes on NAT

Yeah. I'm still leaning towards bug in the IOS...

New Member

Re: Another set of eyes on NAT

try this

#no global (DMZ1) 1 10.3.200.79-10.3.200.99

#global (DMZ1) 1 interface

195
Views
0
Helpful
14
Replies
CreatePlease login to create content