Re: 6.3(3) -> 7.0(2) Upgrade: "Error: duplicate of existing stat

opendevelopers · ‎10-18-2005

Hello,

I am struggling to understand a way around a problem that has arisen since I upgraded my 515e failover pair to v7.0(2).

We used to NAT 2 different IP addresses through the PIX to the same internal IP address using the following commands:

static (inside,outside) 195.195.195.11 192.168.0.13 netmask 255.255.255.255 0 0

static (inside,outside) 195.195.195.10 192.168.0.13 netmask 255.255.255.255 0 0

However, since the upgrade, the new version of the PIX software doesn't "allow" this kind of configuration, which, from the reading that I have done since, I can understand.

My question is, is there a way around this problem? Because although we can rationalise the 2 external IPs pointing to one internal IP by merging the 2 external IPs into one, we are experiencing the same problem with VPN traffic that used to work with the following command:

static (inside,outside) 192.168.0.13 192.168.0.13 netmask 255.255.255.255 0 0

The new version does not allow these two commands to exist on the PIX without giving the referring error:

static (inside,outside) 195.195.195.10 192.168.0.13 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.0.13 192.168.0.13 netmask 255.255.255.255 0 0

Your assistance is appreciated.

- Edward

opendevelopers · ‎10-18-2005

Hi,

I finally managed to figure this out, with a little help from a friend, by implementing policy NAT. Solution was similar to this:

access-list acl_any_server01 extended permit ip host 192.168.0.13 any

access-list acl_vpn_server01 extended permit ip host 192.168.0.13 10.0.0.0 255.255.0.0

access-list acl_vpn_server01 extended permit ip host 192.168.0.13 172.20.0.0 255.255.0.0

static (inside,outside) 192.168.0.13 access-list acl_vpn_server01

static (inside,outside) 195.195.195.10 access-list acl_any_server01

- Edward

6.3(3) -> 7.0(2) Upgrade: "Error: duplicate of existing static"