Руководство По Устранению Ошибки для Cisco Cisco ASA 5505 Adaptive Security Appliance
Conventions
For more information on document conventions, refer to Cisco Technical Tips Conventions.
Problem
As the error message suggests, if the mapped address range in a static NAT statement includes the "standby"
IP address assigned to the mapped interface, the NAT command is rejected. This behavior has always existed
for Static port redirection, but it has been introduced for Static one−to−one NAT statements as well with
version 8.4(4) as a fix for Cisco bug ID CSCtw82147 (registered customers only) .
IP address assigned to the mapped interface, the NAT command is rejected. This behavior has always existed
for Static port redirection, but it has been introduced for Static one−to−one NAT statements as well with
version 8.4(4) as a fix for Cisco bug ID CSCtw82147 (registered customers only) .
This bug was filed because prior to 8.4(4) the ASA allowed users to configure the mapped address in a static
NAT configuration to be the same as the standby IP address assigned to the mapped interface. For example,
look at this snippet of configuration from an ASA:
NAT configuration to be the same as the standby IP address assigned to the mapped interface. For example,
look at this snippet of configuration from an ASA:
ciscoasa(config)# show run int e0/0
!
interface Ethernet0/0
nameif vm
security−level 0
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ciscoasa(config)# show run nat
!
object network obj−10.76.76.160
nat (tftp,vm) static 192.168.1.2
Even though the command is accepted, this NAT configuration will never work by design. As a result,
beginning with 8.4(4), the ASA does not allow such a NAT rule to be configured in the first place.
beginning with 8.4(4), the ASA does not allow such a NAT rule to be configured in the first place.
This has resulted in another unforeseen problem. For example, consider the scenario where the user has a
VPN tunnel terminating on the ASA and wants to allow the "inside" subnet to be able to talk to the remote
VPN subnet.
VPN tunnel terminating on the ASA and wants to allow the "inside" subnet to be able to talk to the remote
VPN subnet.
Among other commands required for configuring the VPN tunnel, one of the more important configurations is
to ensure that the traffic between the VPN subnets does not get NATed. This is implemented with 8.3 and
above using a Manual/Twice NAT command of this format:
to ensure that the traffic between the VPN subnets does not get NATed. This is implemented with 8.3 and
above using a Manual/Twice NAT command of this format:
interface Ethernet0/0
nameif inside
security−level 0
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
object network obj−192.168.1.0
description Inside subnet
subnet 192.168.1.0 255.255.255.0
object network obj−10.10.10.0
description Remote VPN subnet
subnet 10.10.10.0 255.255.255.0
!
nat (inside,any) source static obj−192.168.1.0 obj−192.168.1.0 destination
static obj−10.10.10.0 obj−10.10.10.0
!