06-05-2007 01:55 PM - edited 03-09-2019 06:07 PM
I currently have an internal IP address that is NATTED to an external IP. However, we are now setting up a L2L but that same internal IP now needs to be NATTED to the L2L VPN. I get the following error:
INFO: overlap with existing static
inside:WEBMAIL to outside:208.116.x.x netmask 255.255.255.255
06-05-2007 02:01 PM
You may be able to use policy-nat here. From the current scenario, I think you have following static command in the network:
static (inside,outside) 208.116.x.x WEBMAIL
Now, lets assume that remote end network of L2L tunnel is 192.168.1.0/24, and you need to map the WEBMAIL server as 192.168.2.10 to the remote end L2L network, following commands might help-
access-list pol1 permit ip host WEBMAIL 192.168.1.0 255.255.255.0
static (inside,outside) 192.168.2.10 access-list pol1
I hope this helps.
Regards,
Vibhor.
06-05-2007 02:06 PM
That is what I actually tried...
06-05-2007 02:10 PM
What code are you running ? Policy-nat was introduced in 6.3(2) code.
Regards,
Vibhor.
06-05-2007 02:17 PM
I already have policy nat running for other site to site vpn. I am running version 7.2(2)
06-05-2007 02:19 PM
Cool .. could you paste the command you entered and received the error, along with commnads existing on PIX?
06-05-2007 02:22 PM
static (inside,outside) 208.116.x.x WEBMAIL netmask 255.255.255.255
Now for the site to site VPN with ZANTAZ, we need to NAT WEBMAIL to 172.30.59.91. In order to do this, I tried to use policy-nat (see below)
access-list ZANTAZ_VPN4 extended permit ip host WEBMAIL object-group ZANTAZ
static (inside,outside) 172.30.59.94 access-list ZANTAZ_VPN4
ERROR that I am getting:
INFO: overlap with existing static
inside:WEBMAIL to outside:208.116.x.x netmask 255.255.255.255
06-05-2007 02:23 PM
sorry typo
static (inside,outside) 172.30.59.91 access-list ZANTAZ_VPN4
06-05-2007 03:20 PM
Ok .. well, thats not actually an "error" you are getting. Its a "INFO", which is just to inform you that you already have a static translation for the host WEBMAIL. If you check your current static rules, you'll see both static commands in there and they would work as they are expected to-
show run static
Its just a informational message and you may ignore it.
Hope that helps.
Regards,
Vibhor.
06-05-2007 06:31 PM
you were right that it is only info. However it does not show when I do show run static but only shows up in the show tech. So, I went and tried but it did not work. I will give it another try...I will clear the nat table and try again...
06-07-2007 04:43 AM
Well I got it to work. The trick was to move the static going along with policy-nat head of of the other static.
static (inside,outside) 172.30.59.91 access-list ZANTAZ_VPN1
static (inside,outside) 208.116.x.x WEBMAIL netmask 255.255.255.255
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: