Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17247
Views
0
Helpful
1
Replies

Static Policy NAT / Dynamic Policy NAT Conundrum

yuchenglai
Level 1
Level 1

‎01-01-2010 02:15 PM - edited ‎03-09-2019 10:46 PM

It seems that when using the ACL in combination with the static translation statement (amounting to static policy NAT),  the number of "real" addresses to be translated (as specified in the ACL) needs to equal to the number of addresses used for translation (which is only 1 address).

For example, my Cisco ASA 5505 took gave no errors when I entered the following:


Static Policy Nat - Accepted by ASA w/ no errors - (1 to 1 mapping of 1 real address to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit ip host 172.16.0.2 host 74.125.45.105

static (inside,outside) 192.168.1.253  access-list staticPOLICYnat

The above policy static nat translates the real source address of 172.16.0.2 to 192.168.1.253 when 172.16.0.2 attempts connections to 74.125.45.105

Notice that there is a 1 to 1 mapping of the "real" address of 172.16.0.2 to the mapped address of 192.168.1.253.

However, in the past I also wondered if I could translate more than one real addresses and map them to one global address using the ACL and static nat combo (which amounts to static policy nat).  But I have not been able to get that to work.  For example, entering the following provided me with the "global address overlaps with mask" error.

Static Policy Nat - Rejected By ASA w/ error of "global address overlaps with mask" - (many to 1 mapping of multiple real addresses to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit ip any host 74.125.45.105

static (inside,outside) 192.168.1.253  access-list staticPOLICYnat

The above configuration was rejected by my ASA 5505 with an error of "global address overlaps with mask"

In my experience, it is, however, possible to use dynamic policy NAT (instead of static policy NAT) to translate multiple "real" ip addresses to a single mapped/translated address.

Dynamic Policy Nat - Accepted by ASA w/ no errors - (many to 1 mapping of multiple real addresses to 1 mapped address)

access-list staticPOLICYnat line 1 extended permit tcp any host 74.125.45.105

nat (inside) 2 access-list staticPOLICYnat

global (outside) 2 192.168.1.253

Being able to translate multiple source/real addresses to a single mapped/translated address can be useful in the following situation:

Distant end firewalls need a consistent IP address (instead of allowing your site's entire range) from your site when your users access the distant site's services.  This is beneficial in that one would not need to configure static ip addresses just so that the other site's firewall allows the clients to traverse into their network.

If anyone knows how to translate or map multiple IP addresses to a single IP address using STATIC POLICY NAT, please do share.

Best Regards,

David

Labels:
0 Helpful
1 Reply 1

Fareeduddin Shaik
Level 1
Level 1

‎07-01-2012 07:02 AM

Hi David..

Check this link out!!! This may help you  :-)

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1043541

regards

Shaik

0 Helpful
Customers Also Viewed These Support Documents