Solved: Re: Cisco ASA - Pool (0.0.0.0) overlap with existing pool

Florin Barhala · ‎05-13-2018

Hi Guys,

I have added near to the bottom of our NAT config a DNAT rules:

nat (outside,inside) after-auto 32 source static any any destination static ext_inet_DNAT_Public_IP DNAT_PrivateIP unidirectional description Dnat Rule for monitoring

After enabling it, I receive this message:

[WARNING] nat (outside,inside) after-auto 32 source static any any destination static ext_inet_DNAT_Public_IP DNAT_PrivateIP unidirectional description Dnat Rule for monitoring
Pool (0.0.0.0) overlap with existing pool.

The public IP is part of a BGP /24 prefix advertised by the upstream routers on Internet; here's routing config on ASA:

route Null0 public_prefix/24 255.255.255.0 1

Hardware: ASA 5525 running 9.6.

Thanks!

Florin Barhala · ‎07-05-2018

Two months later, here's the idea I got from a network specialist:
" it IS NOT recommended to use NAT section 3 for port-forward configuration; this type of outside/inside access from any source should go to NAT section 2 aka OBJECT NAT "

As a proof he added a source IP on on the NAT rule:

nat (outside,inside) after-auto 32 source static src_IP_object src_IP_object destination static ext_inet_DNAT_Public_IP DNAT_PrivateIP unidirectional description Dnat Rule for monitoring

and the warning message was gone.

View solution in original post

Florin Barhala · ‎07-05-2018

Two months later, here's the idea I got from a network specialist:
" it IS NOT recommended to use NAT section 3 for port-forward configuration; this type of outside/inside access from any source should go to NAT section 2 aka OBJECT NAT "

As a proof he added a source IP on on the NAT rule:

nat (outside,inside) after-auto 32 source static src_IP_object src_IP_object destination static ext_inet_DNAT_Public_IP DNAT_PrivateIP unidirectional description Dnat Rule for monitoring

and the warning message was gone.