• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1156
  • Last Modified:

Cisco ASA 8.0(4) NAT over VPN

I need to NAT some internal IPs over a Point to Point VPN with Policy NAT.
It's working, but I want to be sure it's correct, since the ASDM gives me an INFO Message every time I make a change now about overlapping static NAT entries.

I am natting internal IP X to another internal IP Y when going to Internal IP Z over the VPN (Static Policy Nat)
I am also Natting Internal IP X to Public IP A when going to the internet. (Static Nat)

I would assume that since the first rule has a specific destination, and the second rule does not it would be ok, but the NOTE about overlapping subnets is disturbing.

Here is the Message:
[INFO] static static (X51-dmz,public) netmask dns tcp 0 0 udp 0
       overlap with existing static
  X51-dmz: to public: netmask

Here are the relevant parts of the config.(with IPs changed)

access-list X51-dmz_nat_static extended permit ip host host
access-list X51-dmz_nat_static_3 extended permit ip host host
access-list X51-dmz_nat_static_2 extended permit ip host host
access-list X51-dmz_nat_static_1 extended permit ip host host

static (X51-dmz,public) netmask dns
static (X51-dmz,public)  access-list X51-dmx_nat_static

static (X51-dmz,public) netmask dns
static (X51-dmz,public)  access-list X51-dmx_nat_static_1

static (X51-dmz,public) netmask dns
static (X51-dmz,public)  access-list X51-dmx_nat_static_2

static (X51-dmz,public) netmask dns
static (X51-dmz,public)  access-list X51-dmx_nat_static_3

crypto map public_map 21 match address public_21_cryptomap
crypto map public_map 21 set peer
crypto map public_map 21 set transform-set ESP-3DES-SHA
crypto map public_map 21 set security-association lifetime seconds 28800
crypto map public_map 21 set security-association lifetime kilobytes 4608000

access-list public_21_cryptomap extended permit ip object-group DM_INLINE_NETWORK_42 object-group DM_INLINE_NETWORK_47

object-group network DM_INLINE_NETWORK_42
 network-object host
 network-object host
 network-object host
 network-object host

object-group network DM_INLINE_NETWORK_47
 network-object host
1 Solution
NCXTechAuthor Commented:
Guess there are no answers......    Anyway. This has been working just fine.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now