Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

ASA5520 (Global address overlaps??)

Dear all,

We have T1 internet with /29 public ip address, and one machine need to do static mapping, someone can access in from outside...

I got some message after I apply static (inside,outside)..

INFO: Global address overlaps with NAT exempt configuration

I am not sure this is error or not, it is because I could not ping the public ip address from outside.... the machine inside can surf internet...

Here is the config:

name 72.x.x.5 Register1

!

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 72.x.x.2 255.255.255.248

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.2.2.10 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xyxyxyxyx encrypted

boot system disk0:/asa721-k8.bin

boot system disk0:/asa704-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name theoy.ad

access-list inside_access_in extended permit udp any any eq domain

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list inside_nat0_outbound extended permit ip any 10.3.101.0 255.25

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit tcp any host Register1

access-list outside_access_in extended permit udp any host Register1

access-list company_splitTunnelAcl standard permit any

access-list outside_cryptomap_dyn_20 extended permit ip any 10.3.101.0 25

55.0

access-list splittunnel standard permit 10.1.0.0 255.255.0.0

access-list splittunnel standard permit 10.2.0.0 255.255.0.0

access-list splittunnel standard permit 172.16.0.0 255.255.0.0

access-list splittunnel standard permit 172.17.0.0 255.255.0.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool CompanyVPN2 10.3.101.100-10.3.101.200 mask 255.255.255.0

no failover

asdm image disk0:/asdm521.bin

no asdm history enable

arp timeout 14400

global (outside) 100 72.x.x.3 netmask 255.255.255.255

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 100 10.1.13.0 255.255.255.0 dns

nat (inside) 100 10.2.0.0 255.255.0.0 dns

static (inside,outside) Register1 10.2.15.11 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 CompanyDIA 1

route inside 10.2.0.0 255.255.0.0 10.2.2.1 1

route inside 10.1.0.0 255.255.0.0 10.2.2.1 1

According the config, the inside machine (10.2.15.11 map to 75.x.x.5), so I should able to ping 75.x.x.5. However, I couldnt ping 75.x.x.5.

Thanks a lot!!!

1 REPLY
Bronze

Re: ASA5520 (Global address overlaps??)

Dont worry, fixed it..

Just need to add access-list with icmp traffic.

Thanks

260
Views
0
Helpful
1
Replies