05-04-2006 05:04 AM - edited 03-09-2019 02:48 PM
Hi all.
I have 2 pix 525 (7.1.2) and i need to setup a very complex configuration about NAT. I explain better the problem.
My internal networks, for example 192.168.1.0/24 192.168.2.0/24 192.168.5.0/24 192.168.4.0/24, need to reach 2 DMZ (192.168.100.0/24 and 192.168.200.0/24) through this 2 pix 525. I need very complex NAT configuration with many static nat, dynamic nat, identity nat and nat per destination.
For example all internal networks 192.168.1.0/24 must reach 192.168.200.1 with PAT and this is ok and works correctly no problem (global 192.168.200.244).
Network 192.168.100.0/24 must reach 192.168.2.1 with static identity policy nat and 192.168.2.2 with static policy nat (xlate with 192.168.100.244). I configured this correclty and works.
The problem is when i need to configure some or all inside networks to reach some ip on 2 dmz with identity nat.
For example 192.168.1.0/24 192.168.2.0/24 must reach 192.168.200.6 and 192.168.3.0/24 192.168.4.0/24 reach 192.168.100.9 all without nat.
So i configured nat exemption wth access-list to permit identity translation form internal nets to hosts on dmz.
But i receive an error: "INFO: Outside address overlap with static NAT configuration".
The problem is that configured static policy nat include ip address like 192.168.2.1 that overlap with nat exemption. If i configure identity nat on 192.168.2.1 no error is reported. So i think that nat exemption and identity nat works
on separate processes ... but i don't know.
Can you give me an advice to resolve this problem of overlapping nat?
I need more and more flexibility because many clients connect to servers per destination with nat or identity nat.
Thx.
05-04-2006 06:01 PM
Hi it would help if you post your config and a brief summary of what you need .. i.e
1.- from subnet .xx.x. to subnet x.x.x (PAT )
2.- from subnet x.x.x.x to subnet/hosts x.x.x.x ( NO NAT )
3.- from subnet/host x.x.x.x to subnet/host x.x.x.x (static ) .. etc
Would you be able to elaborate thisand I can have a look at it over the weekend
05-04-2006 11:09 PM
Yes ok. I post a very simple example of what i try to obtain.
A)On DMZ1 (192.168.100.0/24) a client need to reach 192.168.2.1 on inside whitout nat
B)On DMZ1 (192.168.100.0/24) a client need to reach 192.168.2.2 on inside with a translated address (xlate 192.168.100.100)
C)On DMZ2 (192.168.200.0/24) a client need to reach 192.168.2.3 on inside without nat
D)On DMZ2 (192.168.200.0/24) a client need to reach 192.168.2.4 on inside with a translated address (xlate 192.168.200.100)
E)On inside (192.168.2.0/24), clients need to reach 192.168.200.244 with nat (xlate 192.168.200.1)
F)On inside (192.168.2.0/24), clients need to reach 192.168.100.244 without nat
So the configuration is:
A) STATIC IDENTITY POLICY NAT
access-list DEST-A extended permit ip host 192.168.2.1 host 192.168.100.34
static (inside,dmz1) 192.168.2.1 access-list DEST-A
B) STATIC POLICY NAT
access-list DEST-B extended permit ip host 192.168.2.2 host 192.168.100.44
static (inside,dmz1) 192.168.100.100 access-list DEST-B
C) STATIC IDENTITY POLICY NAT
access-list DEST-C extended permit ip host 192.168.2.3 host 192.168.200.34
static (inside,dmz2) 192.168.2.3 access-list DEST-C
D) STATIC POLICY NAT
access-list DEST-C extended permit ip host 192.168.2.4 host 192.168.200.44
static (inside,dmz2) 192.168.200.100 access-list DEST-D
E) PAT
access-list DEST-E extended permit ip 192.168.2.0 255.255.255.0 host 192.168.200.244
nat (inside) 1 access-list DEST-E
global (dmz2) 1 192.168.200.1 netmask 255.255.255.255
F) NAT EXEMPTION
access-list DEST-F extended permit ip 192.168.2.0 255.255.255.0 host 192.168.100.244
nat (inside) 0 access-list DEST-F
Result:
When i setup NAT EXEMPTION on (F) pix console list me an INFO message: "INFO: Outside address overlap with static NAT configuration".
I think this message is only a warning because the configuration is accepted anyway, but i don't know if it will work correctly.
I need an advice to avoi this averlapping using the configuration example i give to you.
Thx.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide