ASA Static translation - will this be a problem?

Unanswered Question
Apr 9th, 2009

My DMZ is 10.45.136.0, 10.45.137.0, and 10.45.138.0.

My inside is 10.0.0.0.

Will I have a problem if I have my static nat stated as:

static (inside,dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

Or will this work in translating everything correctly? I'm trying to figure out if I should create static nat for every subnet I truly do have instead of trying to combine all of them in one.

Thanks,

John

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 04/09/2009 - 14:07

John

From memory i think you should be fine with this. However if it doesn't work then you could do

access-list in_to_dmz permit ip any 10.145.136.0 255.255.255.0

access-list in_to_dmz permit ip any 10.145.137.0 255.255.255.0

access-list in_to_dmz permit ip any 10.145.138.0 255.255.255.0

nat (inside) 0 access-list in_to_dmz

Jon

JamesLuther Fri, 04/10/2009 - 05:39

Hi John/John,

Both of your methods will work (I've used both before).

However using a 10/8 static will use identity NAT whereas nat 0 ACL will do NAT exemption. I prefer to use NAT exemption because it's a bit neater and it won't show up in "sh xlate". If you're using identity NAT you can't see the wood for the trees when trying to get a quick view of all your current NATs.

Seeing as NAT exemption bypasses NAT all together perhaps it saves on system resources too???

Regards

John Blakley Fri, 04/10/2009 - 05:45

So, is it better for me to list all of my private networks into my dmz networks to keep from having to use statics?

access-list NONAT permit ip 10.125.0.0 255.255.0.0 10.45.136.0.0

access-list NONAT permit ip 10.125.0.0 255.255.0.0 10.45.137.0.0

access-list NONAT permit ip 10.125.0.0 255.255.0.0 10.45.138.0.0

access-list NONAT permit ip 172.20.0.0 255.255.0.0 10.45.135.0.0

etc?

I'll still need to nat 10.125.x.x and 172.x.x.x traffic to the internet, so I would need to specify what network not to nat to.

Thanks,

John

Jon Marshall Fri, 04/10/2009 - 15:12

John

You could specify all the inside networks if you wanted or you could just use the catch all 10.0.0.0/8 entry in your nat exemption acl's

access-list NONAT permit ip 10.0.0.0 255.0.0.0 10.45.136.0 255.255.255.0

etc...

"I'll still need to nat 10.125.x.x and 172.x.x.x traffic to the internet, so I would need to specify what network not to nat to."

Yes, that will be fine. Just setup NAT for this as you normally would ie.

nat (inside) 1 10.0.0.0 255.0.0.0

global (outside) 1 interface or

Jon

Actions

This Discussion