PIX ASA NATTING (to itself)

peter-net · ‎01-06-2009

We have a 5550 ASA firewall with no natting implemented at all EXCEPT for one ip address which is being statically NATTED (eg 10.1.1.120 to 192.1.150.120). Our ASDM shows an already existing natting for the entire internal network (10.1.0.0 /16) natted to itself (10.1.0.0 /16) - obviosuly not doing any NAT processing. Therefore can I just remove that entry and have my single static natting in place on it own?

ray_stone · ‎01-06-2009

Hi, when you put a entry of natting for single IP address then by default the request goes to Internet by using static one and it must not be used that entry which are using for entire network so it might be a configuration issue so I would advice to verify the conf first or you can post your conf here then I can also check and provide correct information.

Thanks

Jon Marshall · ‎01-06-2009

Peter

It depends. For example

static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0

this would tell the pix to present the internal addresses of 10.1.x.x to the DMZ as 10.1.x.x. If you removed this then machines in the DMZ would no longer be able to initiate connections from the DMZ to the inside.

So like i say, it depends on what access you need.

Jon

peter-net · ‎01-06-2009

JON - we have 2 i/f - inside and oustide. So we have this NAT statement (I just may have inherited it) - & the statement says "nat 10.0.0.0 /16 to 10.0.0.0/16"

In other words - effectively, don't nat (?)

In which case - hey well..heck we are only interested in NAtting one specific IP host and the inside and outside networks are totally different networks. So why not delete the "nat 10.0.0.0 /16 to 10.0.0.0/16" line. I just CANNOT see what it does

jj27 · ‎01-06-2009

From the CLI run:

show run nat

show run static

show run global

That will tell you everything about NAT on the firewall.

sdoremus33 · ‎01-06-2009

!