Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
0
Helpful
1
Replies

Static rule is overlapping with an existing natting rule!!

Go to solution
Sundeep Dsouza
Level 1
Level 1

‎10-02-2011 07:29 AM - edited ‎03-11-2019 02:33 PM

We have a server placed on the inside segment of the ASA and it is natted to an outside public IP.

static (Inside,Outside) 196.187.5.6 192.168.x.29 netmask 255.255.255.255

There are some services allowed from the outside to this public IP 196.187.5.6.

I was tasked with configuring site to site VPN, so I had to create a NAT for 192.168.x.29 since we had overlapping network addresses on both the sides. So I went ahead and created a static policy nat rule like the one below.

access-list dreamnat extended permit ip host 192.168.x.29 192.168.199.0 255.255.255.0

static (Inside,Outside) 192.168.199.50 access-list dreamnat.

The moment I hit enter after entering the above nat statement I get " INFO: overlap with existing static Inside:192.168.x.29 to Outside:

196.187.5.6 netmask 255.255.255.255"

What I observed is, the firewall accepted the command with an warning but has not stopped any services. I can now ping the inside IP 192.168.199.50 from the other branch and can access the services which are available from the outside via its public IP.

Will this cause any disruption in the near future? Or can I take an alternate route to accomplish this task without the overlap warning message?

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-02-2011 09:09 PM

You are right, you can just ignore the warning message. As long as the static policy NAT statement is a more specific ACL, then it should not cause any problem at all. Just make sure that you don't add ACL line that might say destination "any" as this will definitely cause issue. Apart from that, you are good with the current configuration.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-02-2011 09:09 PM

You are right, you can just ignore the warning message. As long as the static policy NAT statement is a more specific ACL, then it should not cause any problem at all. Just make sure that you don't add ACL line that might say destination "any" as this will definitely cause issue. Apart from that, you are good with the current configuration.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card