topic ASA5520 Static NAT problem in Network Security

ASA5520 Static NAT problem

Steve Coady — Tue, 12 Mar 2019 05:10:44 GMT

Hello

I am getting the following error when I try to implement a statement that was removed.

ERROR: access-list used in static has different local addresses.

We were migrating to a new ASA. We shut the interfaces on the Old asa down (admin down)

A static statement was missing when we had to revert back to old ASA.

Please advise on what to do to resolve thi

Hi, Not sure if I have ever

Jouni Forss — Thu, 04 Dec 2014 11:02:36 GMT

Hi,

Not sure if I have ever encountered this problem.

On first glance it would almost seem like you were using the wrong ACL (or configured in a way thats not supported for this NAT) for the "static" command you are trying to insert?

Could you share the full "static" command you are trying to enter and also the configuration of the "access-list" that you are using in that "static" command?

The ERROR message specifies that there are "different local addresses". Perhaps this indicates a situation where you have several different source addresses (on several ACL lines) specified in the "access-list" when you are actually trying to translate one hosts local IP address to one mapped/nat IP address.

Hope this helps 🙂

- Jouni

Jouni Thank you for the

Steve Coady — Thu, 04 Dec 2014 15:59:54 GMT

Jouni

Thank you for the response.

Its a strange problem indeed. The statement causing the issue is:

static (inside,outside) 170.x.x.94 access-list MYPROD_PNAT

This statement has been in ASA for sometime and worked well.

Recently there were some new ACL statements referencing this same ACL. All worked well "Until"

we had to reboot the ASA. After reboot, that particular static was missing.

We had to remove the newest acl statements, apply the static and then re-enter the new statements for the work around.