01-22-2013 08:59 AM
I have an ASA 5510 (8.2(5)) and I am trying to set up a site-to-site VPN to one of our vendors. The problem that I am running into is that they want me to NAT a specific private IP address to one of our servers, and that server already has a static NAT from the outside to a DMZ. This is the current NAT rule:
static (DMZ1,outside) 65.43.x.x 10.0.0.3 netmask 255.255.255.255
and they want me to map 172.28.9.42 to the same server so I tried to add:
static (DMZ1,outside) 172.28.9.42 10.0.0.3 netmask 255.255.255.255
but cannot because it says that it is a duplicate translation.
Any help would be greatly appreciated.
Solved! Go to Solution.
01-22-2013 09:05 AM
Hi,
It would seem to me that you have to configure a Static Policy NAT
The configurations would be the following
access-list DMZ-POLICY-NAT permit ip host 10.0.0.3
static (DMZ1,outside) 172.28.9.42 access-list DMZ-POLICY-NAT
Regarding the configurations
Notice that you will have to have this NAT configuration before the actual Public IP address Static NAT command. So you might have to remove the existing Static NAT, configure the above one and then add the original one.
This is because if you dont configure the Static Policy NAT first in the configuration, all traffic will keep hitting the normal Static NAT rule for the public IP address.
- Jouni
01-22-2013 09:05 AM
Hi,
It would seem to me that you have to configure a Static Policy NAT
The configurations would be the following
access-list DMZ-POLICY-NAT permit ip host 10.0.0.3
static (DMZ1,outside) 172.28.9.42 access-list DMZ-POLICY-NAT
Regarding the configurations
Notice that you will have to have this NAT configuration before the actual Public IP address Static NAT command. So you might have to remove the existing Static NAT, configure the above one and then add the original one.
This is because if you dont configure the Static Policy NAT first in the configuration, all traffic will keep hitting the normal Static NAT rule for the public IP address.
- Jouni
01-22-2013 09:25 AM
Thank you very much, that makes sense. Does this policy work reflixively? For instance the DMZ-POLICY-NAT ACL is looking for traffic originating from 10.0.0.3 and destined for 172.27.255.x (that is the destination network), but if they send traffic to 172.28.9.42 will it pick up the NAT translation or should I add:
access-list DMZ-POLICY-NAT permit ip 172.27.255.0 255.255.255.0 host 10.0.0.3
01-22-2013 09:30 AM
Hi,
The single Static Policy NAT configuration I mentioned in the previous post should to my understanding work both ways. So both ends can initiate the connection.
You shouldnt need any additional NAT configurations
Please rate and mark the question as answered if correct.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide