09-07-2011 04:38 AM - edited 03-11-2019 02:21 PM
Hi,
Could someone offer me some advice regarding the scenario below please?
I'm currently using an ASA5510 with IOS 8.2(4).
We have a Static NAT translation setup for our internal mail server, to NAT to a public IP.
static (inside,outside) 1.1.1.10 10.10.10.100 netmask 255.255.255.255
I would like to add a Static Policy NAT rule so that the following happens;
Traffic from the mail server 10.10.10.100, is NAT'd to 172.30.10.100, when the destination is 94.150.87.23. The reason for this being that this traffic will be pushed through a L2L VPN and routed out through another site.
static (inside,outside) 172.30.10.100 access-list inside_nat_static
access-list inside_nat_static extended permit ip host 10.10.10.100 94.150.87.23
When I configure the Static Policy NAT on the ASA I get the following warning message;
This operation will modify the Static NAT Rule. The modified Static NAT Rule is overlapping with the following existing rules:
static (inside,outside) 1.1.1.10 10.10.10.100 netmask 255.255.255.255
If I apply the Static Policy NAT will it break the current Static NAT rule?
Is there a better way to configure this so that I don't get overlapping rules?
Many thanks,
Paul
09-07-2011 05:55 AM
Ok I found a solution to this. Use a Dynamic NAT policy instead of a Static NAT Policy.
Thanks,
Paul
09-30-2011 01:45 PM
Paul,
I am attempting to do a very similiar thing - route from 10.1.1.x to 172.26.1.x when the destination is 10.41.56.x. I have been getting the same response when trying to create a static NAT rule for xlating 10.1.1.0 to 172.26.1.0. Can you please provide some details on how you were able to use a Dynamic NAT rule to accomplish this "splitting"?
Thanks,
Tim
10-03-2011 02:11 AM
Hi Tim,
In my example above, there were 3 commands I needed to configure to create the Dynamic Policy NAT rule;
1. An ACL to match traffic against
2. A global NAT statement
3. A nat statement
Below are the commands as entered for my scenario, translate 10.10.10.100 to 172.30.10.100 when the destination is 94.150.87.23.
1. access-list inside_nat_outbound extended permit ip host 10.10.10.100 host 94.150.87.23
2. global (outside) 2 172.30.10.100 netmask 255.255.255.0
3. nat (inside) 2 access-list inside_nat_outbound
Alternatively you can use ASDM and go to Configuration > NAT Rules > Add > Add Dynamic Policy NAT rule.
HTH
Paul
10-05-2011 12:23 PM
Hi Paul,
Thanks for your reply. It helped me to understand more clearly what steps you took to resolve the problem you were having. I tried to adapt it to my scenario in which I was needing to not just NAT a single server, but a whole network to another network depending on the destination - without success, unfortantely. We decided that since a permanent tunnel wasn't completely necessary that we would just use VPN clients to connect which removes the problem altogether.
Thanks again for your help.
Tim
10-05-2011 10:08 PM
Paul/TIm,
The very first solution was alright, the only thing is that you first need to remove this line
static (inside,outside) 1.1.1.10 10.10.10.100 netmask 255.255.255.255
and then put it back on, that way, this line
static (inside,outside) 172.30.10.100 access-list inside_nat_static
access-list inside_nat_static extended permit ip host 10.10.10.100 94.150.87.23
Will be first and it will be hitted. Remember that Static NATs are read from top to bottom in order, the only difference with Dynamic (Besides the obvious part) is that the more specific you get with the dynamic policy nat, mostlikely you are going to hit the rule, whereas in static nat, no matter if you have a more specific rule, it will hit the first one on the list.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide