topic policy static nat question / Error in Cisco's configuration guide? in Network Security

policy static nat question / Error in Cisco's configuration guide?

yuchenglai — Mon, 11 Mar 2019 16:05:59 GMT

I implemented a policy static nat identical to the following example that is listed in page 12-13 of the Firewall Services Module config guide.

hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0 255.255.255.224

hostname(config)# static (inside,outside) 209.165.202.129 access-list NET1

However, I get the following error message when I enter my similar configuration into my firewall:

global address overlaps with mask

Usage: [no] static [(real_ifc, mapped_ifc)]

{<mapped_ip>|interface}

{<real_ip> [netmask <mask>]} | {access-list <acl_name>}

[dns]

[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]

[udp <max_conns>]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{<mapped_ip>|interface} <mapped_port>

{<real_ip> <real_port> [netmask <mask>]} |

{access-list <acl_name>}

[dns]

[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]

[udp <max_conns>]

show running-config [all] static [<mapped_ip>]

clear configure static

Re: policy static nat question / Error in Cisco's configuration

yuchenglai — Thu, 13 Aug 2009 19:55:15 GMT

I also receive the following error:

ERROR: access-list used in static has different local addresses

Re: policy static nat question / Error in Cisco's configuration

yuchenglai — Thu, 13 Aug 2009 19:56:52 GMT

I guess what i'm trying to accomplish is trying to do PAT overload on Policy Static NAT

Re: policy static nat question / Error in Cisco's configuration

Jon Marshall — Thu, 13 Aug 2009 20:07:11 GMT

Try

hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0 255.255.255.224

hostname(config)# nat (inside) 2 access-list NET1

hostname(config)# global (outside) 2 209.165.202.129

The above is assuming that

1) 10.1.2.0/24 is on the inside

2) 209.165.201/0/24 is reachable via the outside address

3) You want to PAT all 10.1.2.x addresses to 209.165.202.129 when the destination IP addresses are in the range 209.165.201.0/24

Jon

Re: policy static nat question / Error in Cisco's configuration

Kevin Redmon — Fri, 14 Aug 2009 01:04:11 GMT

To further answer your initial question, the 'global address overlaps with mask' command, these types of error messages imply that you are trying to NAT a high number of hosts to an unequal number of IP addresses. In this case, the original access-list leverages an access-list containing 30 possible host IP addresses which must map to a single given IP address.

Re: policy static nat question / Error in Cisco's configuration

yuchenglai — Fri, 14 Aug 2009 13:44:58 GMT

That is correct.

I have been trying to NAT more than one address to a single address by using static policy NAT.

access-list FOR_XLATE extended permit ip host x any

access-list FOR_XLATE extended permit ip host y any

static (inside,outside) a.a.a.a access-list FOR_XLATE

When I enter the above configurations into my FWSM, I now get the following error:

ERROR: access-list used in static has different local addresses

I do not get the above error when the configuration I enter config to NAT one address to one IP address.

access-list FOR_XLATE extended permit ip host x any

static (inside,outside) a.a.a.a access-list FOR_XLATE

That is all fine and good, but the above behavior for the two configurations on my FWSM seems to contradict page 12-13 of the FWSM config guide which provided an example that implies it's possible to NAT more than one address to a single address using Policy Static NAT.

What could be going on?

For the above scenario what I

nandau1082 — Tue, 09 Feb 2016 12:17:52 GMT

For the above scenario what I think you are trying to do is to configure static NAT for two different IP host (x and y) to a single mapped IP (a.a.a.a) and you are getting below error.

ERROR: access-list used in static has different local addresses

Firewall is intelligent enough to tell us that this setup will not work since static NAT is bi-directional.

For ex: if client on external network tries to access our mapped IP (a.a.a.a), firewall cannot UN-NAT to two different internal IP (x and y) hence it does not allow us to configure with two different IP to single IP address in the first place.

If you try the same configuration with single network in acl to a mapped IP you will not have any error.

Extract from cisco site

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_overview.html

For policy static NAT (and for NAT exemption, which also uses an access list to identify traffic), you can initiate traffic to and from the real host. However, the destination address in the access list is only used for traffic initiated by the real host. For traffic to the real host from the destination network, the source address is not checked, and the first matching NAT rule for the real host address is used. So if you configure static policy NAT such as the following:

hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0 255.255.255.224

hostname(config)# static (inside,outside) 209.165.202.128 access-list NET1

Then when hosts on the 10.1.2.0/27 network access 209.165.201.0/24, they are translated to corresponding addresses on the 209.165.202.128/27 network. But any host on the outside can access the mapped addresses 209.165.202.128/27, and not just hosts on the 209.165.201.0/24 network.

For the same reason (the source address is not checked for traffic to the real host), you cannot use policy static NAT to translate different real addresses to the same mapped address. For example, two inside hosts, 10.1.1.1 and 10.1.1.2, that you want to be translated to 209.165.200.225. When outside host 209.165.201.1 connects to 209.165.200.225, then the connection goes to 10.1.1.1. When outside host 209.165.201.2 connects to the same mapped address, 209.165.200.225, you want the connection to go to 10.1.1.2. However, because the destination address in the access list is not checked for traffic to the real host, then the first ACE that matches the real host is used. Since the first ACE is for 10.1.1.1, then all inbound connections sourced from 209.165.201.1 and 209.165.201.2 and destined to 209.165.200.255 will have their destination address translated to 10.1.1.1.