cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
839
Views
0
Helpful
14
Replies

Another set of eyes on NAT

cstepniewski
Level 1
Level 1

I'm trying to configure an ASA5510 and when I add this: static (INSIDE,DMZ1) 10.3.200.2 10.3.0.2 netmask 255.255.255.255

I get this:

INFO: Global address overlaps with NAT exempt configuration.

I don't see the overlap. I have attached the running config for review.

14 Replies 14

dominic.caron
Level 5
Level 5

You do have a overlap...

If you have a packet source from inside(10.3.0.2) to DMZ1 (10.3.100.*). You qualify for your stactic statement and your

access-list REMOTE_ACCESS_NAT extended permit ip any 10.3.100.0 255.255.255.0

Ahh but the DMZ is 10.3.200.*/24 not 10.3.100.*

and the remote access VPN ACL has a 10.3.100.0/24

See my dilemma? These are sperate networks techincaly, but it says they overlap..

technically (misspelled it)

Ho, I understand now

.

If I try to simplify the issue, your static statement are simple enought and are not the problem. This leave a conflict between them and the nat 0. If I was in your place, I think I would try changing it to

access-list REMOTE_ACCESS_NAT extended permit ip 10.3.100.0 255.255.255.0 10.3.0.2 255.255.X.X

+ 1 other line for the DMZ1.

If this does not work, I'll be out of ideas.

Thanks, but could you put it in the proper syntax? I don't think I understand?

Here is the latest config. I even stopped using a zero subnet and I'm still getting this when I apply the static statement.

INFO: Global address overlaps with NAT exempt configuration

cstepniewski
Level 1
Level 1

Could this be a bug? I don't see an overlap.

Hi ... Can you try changing the below :

global (DMZ1) 1 10.3.200.11-10.3.200.20

to

global (DMZ1) 2 10.3.200.11-10.3.200.20

and adding

nat (inside) 2 0.0.0.0 0.0.0.0

Sorry for the slow reponse, I had to go out of town. After changing the global statement and I add the "nat (inside) 2 0.0.0.0 0.0.0.0" I get "Duplicate NAT entry".

Hi .. can you try this

access-list testing permit ip any any

no global (DMZ1) 1 10.3.200.11-10.3.200.20

global (DMZ1) 2 10.3.200.11-10.3.200.20

clear xlate

and then adding

nat (inside) 2 access-list testing

I created this access-list:

access-list testing permit ip any any

then I performed your changes without error, is there a way to do it with out policy based natting?

for some reason it doe snot like to have the same entry on a nat even thought you use a differenet nat id.

Yeah. I'm still leaning towards bug in the IOS...

gabrielbryson
Level 1
Level 1

try this

#no global (DMZ1) 1 10.3.200.79-10.3.200.99

#global (DMZ1) 1 interface