Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
5
Helpful
3
Replies

2 Static NATs on Same Interface

Go to solution
numarkcu1
Level 1
Level 1

‎01-22-2013 08:59 AM

I have an ASA 5510 (8.2(5)) and I am trying to set up a site-to-site VPN to one of our vendors.  The problem that I am running into is that they want me to NAT a specific private IP address to one of our servers, and that server already has a static NAT from the outside to a DMZ.  This is the current NAT rule:

static (DMZ1,outside) 65.43.x.x 10.0.0.3 netmask 255.255.255.255

and they want me to map 172.28.9.42 to the same server so I tried to add:

static (DMZ1,outside) 172.28.9.42 10.0.0.3 netmask 255.255.255.255

but cannot because it says that it is a duplicate translation.

Any help would be greatly appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-22-2013 09:05 AM

Hi,

It would seem to me that you have to configure a Static Policy NAT

The configurations would be the following

access-list DMZ-POLICY-NAT permit ip host 10.0.0.3

static (DMZ1,outside) 172.28.9.42 access-list DMZ-POLICY-NAT

Regarding the configurations

  • ACL name can naturally be anything you like
  • Destination network can be a single host IP address if needed
  • You should be able to configure multiple lines if needed

Notice that you will have to have this NAT configuration before the actual Public IP address Static NAT command. So you might have to remove the existing Static NAT, configure the above one and then add the original one.

This is because if you dont configure the Static Policy NAT first in the configuration, all traffic will keep hitting the normal Static NAT rule for the public IP address.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-22-2013 09:05 AM

Hi,

It would seem to me that you have to configure a Static Policy NAT

The configurations would be the following

access-list DMZ-POLICY-NAT permit ip host 10.0.0.3

static (DMZ1,outside) 172.28.9.42 access-list DMZ-POLICY-NAT

Regarding the configurations

  • ACL name can naturally be anything you like
  • Destination network can be a single host IP address if needed
  • You should be able to configure multiple lines if needed

Notice that you will have to have this NAT configuration before the actual Public IP address Static NAT command. So you might have to remove the existing Static NAT, configure the above one and then add the original one.

This is because if you dont configure the Static Policy NAT first in the configuration, all traffic will keep hitting the normal Static NAT rule for the public IP address.

- Jouni

0 Helpful

Go to solution
numarkcu1
Level 1
Level 1
In response to Jouni Forss

‎01-22-2013 09:25 AM

Thank you very much, that makes sense.   Does this policy work reflixively?  For instance the DMZ-POLICY-NAT ACL is looking for traffic originating from 10.0.0.3 and destined for 172.27.255.x (that is the destination network), but if they send traffic to 172.28.9.42 will it pick up the NAT translation or should I add:

access-list DMZ-POLICY-NAT permit ip 172.27.255.0 255.255.255.0 host 10.0.0.3

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to numarkcu1

‎01-22-2013 09:30 AM

Hi,

The single Static Policy NAT configuration I mentioned in the previous post should to my understanding work both ways. So both ends can initiate the connection.

You shouldnt need any additional NAT configurations

Please rate and mark the question as answered if correct.

- Jouni

Customers Also Viewed These Support Documents