Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
263
Views
0
Helpful
1
Replies

New Guest Network will not PAT to outside interface for overload

dan hale
Level 3
Level 3

‎06-27-2015 02:58 PM - edited ‎03-11-2019 11:11 PM

Hello all, I just created a new interface on my firewall for Guest traffic but, I cant seem to PAT using the outside interface. Our firewall is a Cisco ASA 5512 running version 9.1. I'm stringing with the new NAT's.

 

We have an outside, DMZ, inside, and now a guest interface. When I try to add the this command I get the following:

 

ERROR: Address 192.168.1.1 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

 

Below is my interfaces and important info:

 

GigabitEthernet0/0       outside                192.168.1.1   255.255.255.252 CONFIG
GigabitEthernet0/1       inside                 192.168.254.1   255.255.255.0   CONFIG
GigabitEthernet0/2       dmz                    192.168.50.0   255.255.255.248 CONFIG
GigabitEthernet0/3       guest                  172.16.0.1      255.255.254.0   CONFIG
 

Here is the current PAT for my inside network that works:

 

object network obj_any
 nat (inside,outside) dynamic interface

 

Do I need to change my above nat to be more specific for the object network? I only have a /30 from my ISP for my outside and a /29 allocated for my DMZ servers.

 

I did try to remove the above nat and I added the following:

 object network OBJ-192.168.20.0-24

 description (my real inside address scheme)
 subnet 192.168.20.0 255.255.255.0
 nat (inside,outside) dynamic 192.168.1.1

 

Still got this same error (ERROR: Address 192.168.1.1 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded)

 

Cant I not PAT both my inside and new guest networks to the same outside interface?

 

My outside and dmz subnets I have sanitized and are not the real routable subnets.

Thanks,
Dan

 

 

Labels:
0 Helpful
1 Reply 1

Henrik Grankvist
Level 4
Level 4

‎06-28-2015 01:48 AM

Hi

Don't think you can specify the IP address of the interface in a NAT statement, you have to use the "interface" keyword.

You should be able to do the following:

object network INSIDE-NETWORK
 subnet 192.168.254.0 255.255.255.0
 nat (inside,outside) dynamic interface

object network GUEST-NETWORK
 subnet 172.16.0.0 255.255.254.0
 nat (guest,outside) dynamic interface

or you could:

object network obj_any
 nat (any,outside) dynamic interface
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card