NCXTech
asked on
Cisco ASA 8.0(4) NAT over VPN
I need to NAT some internal IPs over a Point to Point VPN with Policy NAT.
It's working, but I want to be sure it's correct, since the ASDM gives me an INFO Message every time I make a change now about overlapping static NAT entries.
I am natting internal IP X to another internal IP Y when going to Internal IP Z over the VPN (Static Policy Nat)
I am also Natting Internal IP X to Public IP A when going to the internet. (Static Nat)
I would assume that since the first rule has a specific destination, and the second rule does not it would be ok, but the NOTE about overlapping subnets is disturbing.
Here is the Message:
[INFO] static static (X51-dmz,public) 73.208.145.24 10.10.51.124 netmask 255.255.255.255 dns tcp 0 0 udp 0
overlap with existing static
X51-dmz: 10.10.51.124 to public:192.168.99.124 netmask 255.255.255.255
Here are the relevant parts of the config.(with IPs changed)
access-list X51-dmz_nat_static extended permit ip host 10.10.51.32 host 10.1.2.5
access-list X51-dmz_nat_static_3 extended permit ip host 10.10.51.124 host 10.1.2.5
access-list X51-dmz_nat_static_2 extended permit ip host 10.10.51.34 host 10.1.2.5
access-list X51-dmz_nat_static_1 extended permit ip host 10.10.51.33 host 10.1.2.5
static (X51-dmz,public) 73.208.144.32 10.10.51.32 netmask 255.255.255.255 dns
static (X51-dmz,public) 192.168.99.32 access-list X51-dmx_nat_static
static (X51-dmz,public) 73.208.144.33 10.10.51.33 netmask 255.255.255.255 dns
static (X51-dmz,public) 192.168.99.33 access-list X51-dmx_nat_static_1
static (X51-dmz,public) 73.208.144.34 10.10.51.34 netmask 255.255.255.255 dns
static (X51-dmz,public) 192.168.99.34 access-list X51-dmx_nat_static_2
static (X51-dmz,public) 73.208.145.24 10.10.51.124 netmask 255.255.255.255 dns
static (X51-dmz,public) 192.168.99.124 access-list X51-dmx_nat_static_3
crypto map public_map 21 match address public_21_cryptomap
crypto map public_map 21 set peer 77.194.193.2
crypto map public_map 21 set transform-set ESP-3DES-SHA
crypto map public_map 21 set security-association lifetime seconds 28800
crypto map public_map 21 set security-association lifetime kilobytes 4608000
access-list public_21_cryptomap extended permit ip object-group DM_INLINE_NETWORK_42 object-group DM_INLINE_NETWORK_47
object-group network DM_INLINE_NETWORK_42
network-object host 192.168.99.32
network-object host 192.168.99.124
network-object host 192.168.99.33
network-object host 192.168.99.34
object-group network DM_INLINE_NETWORK_47
network-object host 10.1.2.5
It's working, but I want to be sure it's correct, since the ASDM gives me an INFO Message every time I make a change now about overlapping static NAT entries.
I am natting internal IP X to another internal IP Y when going to Internal IP Z over the VPN (Static Policy Nat)
I am also Natting Internal IP X to Public IP A when going to the internet. (Static Nat)
I would assume that since the first rule has a specific destination, and the second rule does not it would be ok, but the NOTE about overlapping subnets is disturbing.
Here is the Message:
[INFO] static static (X51-dmz,public) 73.208.145.24 10.10.51.124 netmask 255.255.255.255 dns tcp 0 0 udp 0
overlap with existing static
X51-dmz: 10.10.51.124 to public:192.168.99.124 netmask 255.255.255.255
Here are the relevant parts of the config.(with IPs changed)
access-list X51-dmz_nat_static extended permit ip host 10.10.51.32 host 10.1.2.5
access-list X51-dmz_nat_static_3 extended permit ip host 10.10.51.124 host 10.1.2.5
access-list X51-dmz_nat_static_2 extended permit ip host 10.10.51.34 host 10.1.2.5
access-list X51-dmz_nat_static_1 extended permit ip host 10.10.51.33 host 10.1.2.5
static (X51-dmz,public) 73.208.144.32 10.10.51.32 netmask 255.255.255.255 dns
static (X51-dmz,public) 192.168.99.32 access-list X51-dmx_nat_static
static (X51-dmz,public) 73.208.144.33 10.10.51.33 netmask 255.255.255.255 dns
static (X51-dmz,public) 192.168.99.33 access-list X51-dmx_nat_static_1
static (X51-dmz,public) 73.208.144.34 10.10.51.34 netmask 255.255.255.255 dns
static (X51-dmz,public) 192.168.99.34 access-list X51-dmx_nat_static_2
static (X51-dmz,public) 73.208.145.24 10.10.51.124 netmask 255.255.255.255 dns
static (X51-dmz,public) 192.168.99.124 access-list X51-dmx_nat_static_3
crypto map public_map 21 match address public_21_cryptomap
crypto map public_map 21 set peer 77.194.193.2
crypto map public_map 21 set transform-set ESP-3DES-SHA
crypto map public_map 21 set security-association lifetime seconds 28800
crypto map public_map 21 set security-association lifetime kilobytes 4608000
access-list public_21_cryptomap extended permit ip object-group DM_INLINE_NETWORK_42 object-group DM_INLINE_NETWORK_47
object-group network DM_INLINE_NETWORK_42
network-object host 192.168.99.32
network-object host 192.168.99.124
network-object host 192.168.99.33
network-object host 192.168.99.34
object-group network DM_INLINE_NETWORK_47
network-object host 10.1.2.5
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.