Little Issue with NATing

sly007 · ‎07-29-2011

Kindly help me with this scenario.

On my ASA fiewall, I had allowed direct translation to other Networks, using Access List to filter.

Now I have been required to use NAT to reach some specific hosts on other Networks

I want to use a particular Public IP address (not tied to an interface) for this purpose, (that is many-to-one mapping).

But two issues always result when i try to do this.

1. Each time I map another network to this same single IP Address, it tells me there is NAT pool overlap.

([WARNING] nat (inside,outside) after-auto 1 source dynamic Network_Team NAT_For_Gemalto description Gemalto Servers to be accessed

Pool (172.20.20.52) overlap with existing pool.)

2. Each time I apply the configurations, the previous internal networks that have been working fine, through the direct translation would stop accessing the outside Network.

How do I make the internal Network to be able to access the Outside Network through the direct translation and through the NAT Rule when required, and also be able to map multiple internal networks to the same single IP address without overlapping warning?
Thank you.

Below are some of the errors I receive.

[WARNING] nat (inside,outside) after-auto 1 source dynamic Network_Team NAT_For_Gemalto description Gemalto Servers to be accessed

Pool (172.20.20.52) overlap with existing pool.

[OK] no nat after-auto 1

[OK] object-group network DM_INLINE_NETWORK_3

object-group network DM_INLINE_NETWORK_3

[OK] network-object object Application_Team

[OK] network-object object Network_Team

[WARNING] nat (inside,outside) after-auto 1 source dynamic DM_INLINE_NETWORK_3 NAT_For_Gemalto description Gemalto Servers to be accessed

Pool (172.20.20.52) overlap with existing pool.

[WARNING] nat (inside,outside) after-auto 1 source dynamic Network_Team NAT_For_Gemalto description Gemalto Servers to be accessed

Pool (172.20.20.52) overlap with existing pool.

[OK] no nat after-auto 1
[OK] object-group network DM_INLINE_NETWORK_3
object-group network DM_INLINE_NETWORK_3
[OK] network-object object Application_Team
[OK] network-object object Network_Team
[WARNING] nat (inside,outside) after-auto 1 source dynamic DM_INLINE_NETWORK_3 NAT_For_Gemalto description Gemalto Servers to be accessed
Pool (172.20.20.52) overlap with existing pool.

andrew.prince · ‎07-29-2011

Policy based nat - using access-lists defined by source/destination would be a good place to start.

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

HTH>

sly007 · ‎07-29-2011

Does ASA 8.4.1 support policy-based NATing?

Julio Carvajal · ‎07-29-2011

Hi Sly007,

On this version you got to use twice Nat, On this you are going to nat a source IP to a Mapped IP regarding of the destination, And the destination could be natted if you want it.

Here is the link where you will find how to set it up

http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/nat_rules.html

Let me know if you have any questions

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC