Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Static Policy NAT / Dynamic Policy NAT Conundrum

It seems that when using the ACL in combination with the static translation statement (amounting to static policy NAT),  the number of "real" addresses to be translated (as specified in the ACL) needs to equal to the number of addresses used for translation (which is only 1 address).

For example, my Cisco ASA 5505 took gave no errors when I entered the following:


Static Policy Nat - Accepted by ASA w/ no errors - (1 to 1 mapping of 1 real address to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit ip host 172.16.0.2 host 74.125.45.105

static (inside,outside) 192.168.1.253  access-list staticPOLICYnat

The above policy static nat translates the real source address of 172.16.0.2 to 192.168.1.253 when 172.16.0.2 attempts connections to 74.125.45.105

Notice that there is a 1 to 1 mapping of the "real" address of 172.16.0.2 to the mapped address of 192.168.1.253.

However, in the past I also wondered if I could translate more than one real addresses and map them to one global address using the ACL and static nat combo (which amounts to static policy nat).  But I have not been able to get that to work.  For example, entering the following provided me with the "global address overlaps with mask" error.

Static Policy Nat - Rejected By ASA w/ error of "global address overlaps with mask" - (many to 1 mapping of multiple real addresses to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit ip any host 74.125.45.105

static (inside,outside) 192.168.1.253  access-list staticPOLICYnat

The above configuration was rejected by my ASA 5505 with an error of "global address overlaps with mask"

In my experience, it is, however, possible to use dynamic policy NAT (instead of static policy NAT) to translate multiple "real" ip addresses to a single mapped/translated address.

Dynamic Policy Nat - Accepted by ASA w/ no errors - (many to 1 mapping of multiple real addresses to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit tcp any host 74.125.45.105

nat (inside) 2 access-list staticPOLICYnat

global (outside) 2 192.168.1.253

Being able to translate multiple source/real addresses to a single mapped/translated address can be useful in the following situation:

Distant end firewalls need a consistent IP address (instead of allowing your site's entire range) from your site when your users access the distant site's services.  This is beneficial in that one would not need to configure static ip addresses just so that the other site's firewall allows the clients to traverse into their network.

If anyone knows how to translate or map multiple IP addresses to a single IP address using STATIC POLICY NAT, please do share.

Best Regards,

David

Everyone's tags (4)
1 REPLY
Community Member

Static Policy NAT / Dynamic Policy NAT Conundrum

Hi David..

Check this link out!!! This may help you  :-)

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1043541

regards

Shaik

16266
Views
0
Helpful
1
Replies
CreatePlease to create content