topic Overlapping NAT Question - ASA 8.2(4) in Network Security

Overlapping NAT Question - ASA 8.2(4)

paulstone80 — Mon, 11 Mar 2019 21:21:35 GMT

Hi,

Could someone offer me some advice regarding the scenario below please?

I'm currently using an ASA5510 with IOS 8.2(4).

We have a Static NAT translation setup for our internal mail server, to NAT to a public IP.

static (inside,outside) 1.1.1.10 10.10.10.100 netmask 255.255.255.255

I would like to add a Static Policy NAT rule so that the following happens;

Traffic from the mail server 10.10.10.100, is NAT'd to 172.30.10.100, when the destination is 94.150.87.23. The reason for this being that this traffic will be pushed through a L2L VPN and routed out through another site.

static (inside,outside) 172.30.10.100 access-list inside_nat_static

access-list inside_nat_static extended permit ip host 10.10.10.100 94.150.87.23

When I configure the Static Policy NAT on the ASA I get the following warning message;

This operation will modify the Static NAT Rule. The modified Static NAT Rule is overlapping with the following existing rules:

static (inside,outside) 1.1.1.10 10.10.10.100 netmask 255.255.255.255

If I apply the Static Policy NAT will it break the current Static NAT rule?

Is there a better way to configure this so that I don't get overlapping rules?

Many thanks,

Paul

Overlapping NAT Question - ASA 8.2(4)

paulstone80 — Wed, 07 Sep 2011 12:55:42 GMT

Ok I found a solution to this. Use a Dynamic NAT policy instead of a Static NAT Policy.

Thanks,

Paul

Overlapping NAT Question - ASA 8.2(4)

tkalee — Fri, 30 Sep 2011 20:45:42 GMT

Paul,

I am attempting to do a very similiar thing - route from 10.1.1.x to 172.26.1.x when the destination is 10.41.56.x. I have been getting the same response when trying to create a static NAT rule for xlating 10.1.1.0 to 172.26.1.0. Can you please provide some details on how you were able to use a Dynamic NAT rule to accomplish this "splitting"?

Thanks,

Tim

Re: Overlapping NAT Question - ASA 8.2(4)

paulstone80 — Mon, 03 Oct 2011 09:11:24 GMT

Hi Tim,

In my example above, there were 3 commands I needed to configure to create the Dynamic Policy NAT rule;

1. An ACL to match traffic against

2. A global NAT statement

3. A nat statement

Below are the commands as entered for my scenario, translate 10.10.10.100 to 172.30.10.100 when the destination is 94.150.87.23.

1. access-list inside_nat_outbound extended permit ip host 10.10.10.100 host 94.150.87.23

2. global (outside) 2 172.30.10.100 netmask 255.255.255.0

3. nat (inside) 2 access-list inside_nat_outbound

Alternatively you can use ASDM and go to Configuration > NAT Rules > Add > Add Dynamic Policy NAT rule.

HTH

Paul

Re: Overlapping NAT Question - ASA 8.2(4)

tkalee — Wed, 05 Oct 2011 19:23:26 GMT

Hi Paul,

Thanks for your reply. It helped me to understand more clearly what steps you took to resolve the problem you were having. I tried to adapt it to my scenario in which I was needing to not just NAT a single server, but a whole network to another network depending on the destination - without success, unfortantely. We decided that since a permanent tunnel wasn't completely necessary that we would just use VPN clients to connect which removes the problem altogether.

Thanks again for your help.

Tim

Overlapping NAT Question - ASA 8.2(4)

Maykol Rojas — Thu, 06 Oct 2011 05:08:16 GMT

Paul/TIm,

The very first solution was alright, the only thing is that you first need to remove this line

static (inside,outside) 1.1.1.10 10.10.10.100 netmask 255.255.255.255

and then put it back on, that way, this line

static (inside,outside) 172.30.10.100 access-list inside_nat_static

access-list inside_nat_static extended permit ip host 10.10.10.100 94.150.87.23

Will be first and it will be hitted. Remember that Static NATs are read from top to bottom in order, the only difference with Dynamic (Besides the obvious part) is that the more specific you get with the dynamic policy nat, mostlikely you are going to hit the rule, whereas in static nat, no matter if you have a more specific rule, it will hit the first one on the list.

Mike