PIX ASA NATTING (to itself)

Unanswered Question
Jan 6th, 2009

We have a 5550 ASA firewall with no natting implemented at all EXCEPT for one ip address which is being statically NATTED (eg to Our ASDM shows an already existing natting for the entire internal network ( /16) natted to itself ( /16) - obviosuly not doing any NAT processing. Therefore can I just remove that entry and have my single static natting in place on it own?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ray_stone Tue, 01/06/2009 - 08:05

Hi, when you put a entry of natting for single IP address then by default the request goes to Internet by using static one and it must not be used that entry which are using for entire network so it might be a configuration issue so I would advice to verify the conf first or you can post your conf here then I can also check and provide correct information.


Jon Marshall Tue, 01/06/2009 - 08:06


It depends. For example

static (inside,dmz) netmask

this would tell the pix to present the internal addresses of 10.1.x.x to the DMZ as 10.1.x.x. If you removed this then machines in the DMZ would no longer be able to initiate connections from the DMZ to the inside.

So like i say, it depends on what access you need.


peter-net Tue, 01/06/2009 - 14:52

JON - we have 2 i/f - inside and oustide. So we have this NAT statement (I just may have inherited it) - & the statement says "nat /16 to"

In other words - effectively, don't nat (?)

In which case - hey well..heck we are only interested in NAtting one specific IP host and the inside and outside networks are totally different networks. So why not delete the "nat /16 to" line. I just CANNOT see what it does

jjohnston1127 Tue, 01/06/2009 - 14:53

From the CLI run:

show run nat

show run static

show run global

That will tell you everything about NAT on the firewall.


This Discussion