Solved: NAT overlap

adityan404 · ‎04-26-2016

object service inside-src-dest-port-9100
service tcp source eq 9100 destination range 0 65535

64 nat (inside,outside) source static OBJ-ipB OBJ-ipA destination static OBJGRP OBJGRP service inside-src-dest-port-9100 inside-src-dest-port-9100

65 nat (inside,outside) source static OBJ-ipC OBJ-ipA destination static OBJGRP OBJGRP service inside-src-dest-port-9100 inside-src-dest-port-9100

After configuring rule 65, why do I get the following warning.
WARNING: mapped-address ipA/9100-0 overlaps with existing static NAT in Section 1, rule 64.

Can anyone please help explain the reason behind the warning message and what can be done to avoid it?

Henrik Grankvist · ‎04-26-2016

Hi

The reason is that you can't have an overlap in the NAT statement when doing static NAT. Both OBJ-ipB and OBJ-ipC are being NATed to OBJ-ipA on tcp/9100, which is not allowed.

Think of this; if a user is on the internet is connecting to the IP of OBJ-ipA on TCP/9100, which server should it be directed to OBJ-ipB or OBJ-ipC? There is no way to differentiate the two.

To correct it you could either use another NATed IP on the outside, like OBJ-ipD, or you could NAT the port number. Then users coming from the outside that wants to connect to TCP/9100 on OBJ-ipB needs to connect to OBJ-ipA on TCP/9101.

object service tcp-eq-9100
 service tcp source eq 9100
object service tcp-eq-9101
 service tcp source eq 9101

nat (inside,outside) source static OBJ-ipB OBJ-ipA destination static OBJGRP OBJGRP service tcp-eq-9100 tcp-eq-9101

View solution in original post

Henrik Grankvist · ‎04-26-2016

Hi

The reason is that you can't have an overlap in the NAT statement when doing static NAT. Both OBJ-ipB and OBJ-ipC are being NATed to OBJ-ipA on tcp/9100, which is not allowed.

Think of this; if a user is on the internet is connecting to the IP of OBJ-ipA on TCP/9100, which server should it be directed to OBJ-ipB or OBJ-ipC? There is no way to differentiate the two.

To correct it you could either use another NATed IP on the outside, like OBJ-ipD, or you could NAT the port number. Then users coming from the outside that wants to connect to TCP/9100 on OBJ-ipB needs to connect to OBJ-ipA on TCP/9101.

object service tcp-eq-9100
 service tcp source eq 9100
object service tcp-eq-9101
 service tcp source eq 9101

nat (inside,outside) source static OBJ-ipB OBJ-ipA destination static OBJGRP OBJGRP service tcp-eq-9100 tcp-eq-9101

adityan404 · ‎04-27-2016

I see. Well, these are the original 8.2 NAT statements I was trying to convert to 9.4 code.

static (inside,outside) tcp ipA 1025 access-list inside_nat_static_131
static (inside,outside) tcp ipA 1026 access-list inside_nat_static_132

Are 1025 and 1026 here the mapped port numbers?

So would I be correct in modifying the NAT rules to:

nat (inside,outside) source static OBJ-ipB OBJ-ipA destination static OBJGRP OBJGRP service tcp-eq-9100 tcp-eq-1025

nat (inside,outside) source static OBJ-ipB OBJ-ipA destination static OBJGRP OBJGRP service tcp-eq-9100 tcp-eq-1026

Henrik Grankvist · ‎04-30-2016

I'm not really sure about the pre-8.3 syntax, but the other configuration looks correct.

adityan404 · ‎05-02-2016

Yes, it looks like they are the mapped port numbers according to the syntax from the Cisco guide. Thanks for your help.

static (real_interface,mapped_interface)
{tcp | udp} {mapped_ip | interface} mapped_port access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns
[emb_limit]] [udp udp_max_conns]