Re: Fixing NAT entries

shorila · ‎04-08-2008

I have a Cisco 515e running 7.0(1) and one problem with the config of my NATs on my PIX is that the inside interface is not NATed. Rather just the subnet of my internal network. So when I try to add a NAT rule for a single host on that subnet I get: "This static port mapping rule is overlapping with a dynamic address translation rule for X.X.X.X/255.255.252.0 using global pool 1. Do you wish to proceed?" I suppose i could proceed without issue? In the end I would like to replace the subnet NAT using the inside interface, so that I don't receive this message every time i set up a static NAT. But i do not want to compromise breaking my security policies. Is it possible to insert the inside interface NAT and then remove the subnet NAT without breaking my Security Policies and causing too much disruption?

sundar.palaniappan · ‎04-08-2008

You should experience only a brief disruption when you add nat inside and remove the static NAT configuration. You might want to be precise when you configure nat inside instead of nat anything to setup a more secure configuration. For example a more secure configuration would be nat (inside)1 10.1.1.0 255.255.255.0 instead of nat (inside) 1 0.0.0.0.

HTH

Sundar

srue · ‎04-08-2008

with changes i need (or want) to do during biz hours, i usually first type them up in my fav. text editor (textpad) and then copy/paste them into my fav. telnet/ssh client (securecrt).

in your case:

no nat (inside) 1 0 0

nat (inside) 1 10.1.1.0 255.255.255.0

clear xlate

...to build on sundar's example.