NATing the Broadcast IP

haithamnofal · ‎05-12-2007

Hi There,

If I did the follwing configuration:

static (inside,dmz) 10.1.1.255 10.1.1.255 net 255.255.255.255

Where 10.1.1.0/24 is my inside network and I configured an access-list allowing all the traffic from the DMZ to the inside network. Will the ASA pass traffic destined to the broadcast IP?

Regards,

Haitham

joshua.walton · ‎05-12-2007

Starting with PIX 5.2, the firewall no longer uses network addresses or broadcast addresses in static and global command statements when creating NAT xlate translations. Broadcast addresses are those addresses with the bit pattern of all ones, when the network mask is applied. Network addresses are those addresses with the bit pattern of all zeros, when the network mask is applied.

For example:

global 1 10.1.0.0-10.1.255.255 netmask 255.255.255.0.

With this command, the network addresses 10.1.0.0, 10.1.1.0, 10.1.2.0, and so forth through 10.1.255.0, are excluded. In addition, the broadcast addresses 10.1.0.255, 10.1.1.255, 10.1.2.255, and so forth through 10.1.255.255, are excluded.

Please rate if you are satisfied.

Cheers!

haithamnofal · ‎05-12-2007

Hi,

Ok very good, now if you explicitly put the broadcast IP in a NAT rule like the example in my previous post will the PIX still ignore it?

Regards,

Haitham

joshua.walton · ‎05-12-2007

Yes