topic static nat to multiple outside to single inside in Network Security

static nat to multiple outside to single inside

adamtroxel — Mon, 11 Mar 2019 16:28:22 GMT

We are moving from a pix to an asa

Our current pix implementation looks like this

static (inside,outside) 5.5.5.5 1.1.1.1 255.255.255.255

static (inside,outside) 6.6.6.6 1.1.1.1 255.255.255.255

When I try to do this on the asa I can only do a single instance and get the error

ERROR: duplicate of existing static

when I try to do the second.

Is there a switch I need to run or something to get this functionality to work? Or is there a better way to do this?

Re: static nat to multiple outside to single inside

adamtroxel — Tue, 20 Oct 2009 20:43:51 GMT

I think I found my own answer:

The simple answer is yes, but you can't using the "static" command as you would expect or else you'll get the error "ERROR: duplicate of existing static".

So the following configuration will fail;

static (Inside,Outside) 201.10.10.2 10.10.10.1 netmask 255.255.255.255

static (Inside,Outside) 100.20.30.3 10.10.10.1 netmask 255.255.255.255

However using policy NAT on the PIX/ASA using code 7.x and beyond (Tested on 8.x) the following will work.

access-list policy_1 extended permit ip host 10.10.10.1 any

access-list policy_2 extended permit ip host 10.10.10.1 any

static (Inside,Outside) 201.10.10.2 access-list policy_1

static (Inside,Outside) 100.20.30.3 access-list policy_2"

Re: static nat to multiple outside to single inside

Patrick0711 — Tue, 20 Oct 2009 23:24:37 GMT

This is a policy NAT configuration. I'm almost positive you will see abnormalities, especially when originating outbound connections.

Your configuration is saying:

Traffic originating from 10.10.10.1 to ANY destination, policy NAT to 201.10.10.2 and 100.20.30.3. However, there's nothing to differentiate which translation should be used. I'm guessing outbound traffic will appear from whatever IP is currently in the state table.