cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1480
Views
0
Helpful
1
Replies
Frequent Contributor

Cisco ASA - Pool (0.0.0.0) overlap with existing pool

Hi Guys,

 

I have added near to the bottom of our NAT config a DNAT rules:

nat (outside,inside) after-auto 32 source static any any destination static ext_inet_DNAT_Public_IP DNAT_PrivateIP unidirectional description Dnat Rule for monitoring

 

After enabling it, I receive this message:

 

[WARNING] nat (outside,inside) after-auto 32 source static any any destination static ext_inet_DNAT_Public_IP DNAT_PrivateIP unidirectional description Dnat Rule for monitoring
Pool (0.0.0.0) overlap with existing pool.

 

The public IP is part of a BGP /24 prefix advertised by the upstream routers on Internet; here's routing config on ASA:

 

route Null0 public_prefix/24 255.255.255.0 1

 

Hardware: ASA 5525 running 9.6.

 

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Frequent Contributor

Re: Cisco ASA - Pool (0.0.0.0) overlap with existing pool

Two months later, here's the idea I got from a network specialist:
" it IS NOT recommended to use NAT section 3 for port-forward configuration; this type of outside/inside access from any source should go to NAT section 2 aka OBJECT NAT "

As a proof he added a source IP on on the NAT rule:

nat (outside,inside) after-auto 32 source static src_IP_object src_IP_object destination static ext_inet_DNAT_Public_IP DNAT_PrivateIP unidirectional description Dnat Rule for monitoring

and the warning message was gone.
1 REPLY 1
Highlighted
Frequent Contributor

Re: Cisco ASA - Pool (0.0.0.0) overlap with existing pool

Two months later, here's the idea I got from a network specialist:
" it IS NOT recommended to use NAT section 3 for port-forward configuration; this type of outside/inside access from any source should go to NAT section 2 aka OBJECT NAT "

As a proof he added a source IP on on the NAT rule:

nat (outside,inside) after-auto 32 source static src_IP_object src_IP_object destination static ext_inet_DNAT_Public_IP DNAT_PrivateIP unidirectional description Dnat Rule for monitoring

and the warning message was gone.