topic Re: Fixing NAT entries in Network Security

Fixing NAT entries

shorila — Mon, 11 Mar 2019 12:28:40 GMT

I have a Cisco 515e running 7.0(1) and one problem with the config of my NATs on my PIX is that the inside interface is not NATed. Rather just the subnet of my internal network. So when I try to add a NAT rule for a single host on that subnet I get: "This static port mapping rule is overlapping with a dynamic address translation rule for X.X.X.X/255.255.252.0 using global pool 1. Do you wish to proceed?" I suppose i could proceed without issue? In the end I would like to replace the subnet NAT using the inside interface, so that I don't receive this message every time i set up a static NAT. But i do not want to compromise breaking my security policies. Is it possible to insert the inside interface NAT and then remove the subnet NAT without breaking my Security Policies and causing too much disruption?

Re: Fixing NAT entries

sundar.palaniappan — Tue, 08 Apr 2008 17:58:12 GMT

You should experience only a brief disruption when you add nat inside and remove the static NAT configuration. You might want to be precise when you configure nat inside instead of nat anything to setup a more secure configuration. For example a more secure configuration would be nat (inside)1 10.1.1.0 255.255.255.0 instead of nat (inside) 1 0.0.0.0.

HTH

Sundar

Re: Fixing NAT entries

srue — Tue, 08 Apr 2008 18:26:40 GMT

with changes i need (or want) to do during biz hours, i usually first type them up in my fav. text editor (textpad) and then copy/paste them into my fav. telnet/ssh client (securecrt).

in your case:

no nat (inside) 1 0 0

nat (inside) 1 10.1.1.0 255.255.255.0

clear xlate

...to build on sundar's example.