WARNING: mapped-address conflict with existing static

[dialerstring]

Want to say thanks in advance -thanks.

I'm trying to allow access from my guest network (inside-guest) to particular servers on my inside network. The guest network is using 192.168 network.

I'm getting the error below.

--Config already in place---
static (inside,outside) x.X.X.4 10.1.20.22 netmask 255.255.255.255
static (inside,outside) tcp x.X.X.6

http://www 10.1.22.1

http://www netmask

255.255.255.255
static (inside,outside) tcp X.X.X.6 https 10.1.22.1 https netmask 255.255.255.255

--Config I want to add---
static (inside-guest,outside) tcp X.X.X.4

http://www 10.1.20.22

http://www netmask

255.255.255.255
static (inside-guest,outside) tcp X.X.X.6

http://www 10.1.22.1

http://www netmask

255.255.255.255
static (inside-guest,outside) tcp X.X.X.6 https 10.1.22.1 https netmask 255.255.255.255

WARNING: mapped-address conflict with existing static
inside:10.1.20.22 to outside:X.X.X.4 netmask 255.255.255.255

From my understanding you can't have to static entries for the same ip address and port numbers.
What would be another solution around this? Maybe creating an Object-Group that allow only the ports
I need and applying it and to the inside-guest interface? Hmmm

CCNA
Network Admin

 

[FaiTHLeSS]

assuming that your inside-guest is on a internal range such as 10.* 172.16.* 192.168.* you wouldnt need a NAT statement. You will most likely have to have a nat exemption.

Then just add the firewall rules to allow those ports.

 

[unclerico]

dialer, some things in your post are confusing to me. You say that you want hosts in your guest network to access some hosts on your inside network, but under your --Config I want to add-- you specify inside-guest and outside, not inside. Is it a type-o?? Do you want to allow all machines on the inside-guest network access to those particular machines on your inside or just a few??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[dialerstring]

I still want the inside-guest network to access the internet but access some resources on my inside network

I have a nat (inside) 0 access-list 92 command that points to the inside guess network.

nat (inside) 0 access-list 92
access-list 92 permit ip 192.168.100.0 255.255.255.0 any

nat (inside-guest) 1 192.168.100.0 255.255.255.01
global (outside) 1 X.X.X.X

I already have the exemption on the inside interface - but does this mean that traffic no natted from 192.168.100.0 can access the inside interface based on the ACL that is pointing to the inside interface.

The nat exemption are killing me.






CCNA
Network Admin

 

[unclerico]

What securiy level is your inside-guest interface??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[dialerstring]

Security level is 50 for inside-guest, outside is 0 and inside is 100

CCNA
Network Admin

 

[unclerico]

dialer, I apologize but I'm still a little confused by the chain of postings here. Lets work with an example. Say your inside network is on 192.168.101.x/24 and your inside-guest is on 192.168.100.x/24. You have two servers on the inside that are running web and ftp services that you want hosts on the inside-guest network to access; the addresses are 192.168.101.10 and 192.168.101.11 respectively. There are basically two ways to do this:
1) Create an ACL to allow this traffic and apply it inbound on the inside-guest interface:

access-list inside_guest_access_in extended permit tcp 192.168.100.0 255.255.255.0 host 192.168.101.10 eq www
access-list inside_guest_access_in extended permit tcp 192.168.100.0 255.255.255.0 host 192.168.101.11 eq ftp

access-group inside_guest_access_in in interface inside-guest

Now configure either NAT Exemption or Static Identity NAT. First is NAT exemption:

access-list nonat_inside_guest permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list nonat_inside permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0

nat (inside) 0 access-list nonat_inside
nat (inside-guest) 0 access-list nonat_inside

The alternative is Static Identity NAT:

static (inside-guest,inside) 192.168.101.0 192.168.101.0 netmask 255.255.255.0
static (inside,inside-guest) 191.168.100.0 192.168.100.0 netmask 255.255.255.0

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[dialerstring]

I was looking at the static example that you posted and after reading about nat exemption, it does the exact same thing that nat 0 does, which is exactly what I needed. I have on question - Why did you create the following statement?:

nat (inside) 0 access-list nonat_inside

Does this stament permits the unnatted traffice from .100.X to access resources at .101.X or is it vise versa.

I will try this tomorrow and I will let you know how it goes and thanks for you post and aswers.


CCNA
Network Admin

 

[dialerstring]

Unclerico,

I just tried the Static Identity nat in my lab and it worked.. I want to say thanks to everyone that posted and thanks for you help Unclerico.

CCNA
Network Admin

 

[unclerico]

no problem dialer. that's what we're here for.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)