Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
339
Views
0
Helpful
4
Replies

ASA Static translation - will this be a problem?

John Blakley
VIP Alumni
VIP Alumni

‎04-09-2009 01:41 PM - edited ‎03-11-2019 08:16 AM

My DMZ is 10.45.136.0, 10.45.137.0, and 10.45.138.0.

My inside is 10.0.0.0.

Will I have a problem if I have my static nat stated as:

static (inside,dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

Or will this work in translating everything correctly? I'm trying to figure out if I should create static nat for every subnet I truly do have instead of trying to combine all of them in one.

Thanks,

John

HTH, John *** Please rate all useful posts ***
Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎04-09-2009 02:07 PM

John

From memory i think you should be fine with this. However if it doesn't work then you could do

access-list in_to_dmz permit ip any 10.145.136.0 255.255.255.0

access-list in_to_dmz permit ip any 10.145.137.0 255.255.255.0

access-list in_to_dmz permit ip any 10.145.138.0 255.255.255.0

nat (inside) 0 access-list in_to_dmz

Jon

0 Helpful

JamesLuther
Level 3
Level 3
In response to Jon Marshall

‎04-10-2009 05:39 AM

Hi John/John,

Both of your methods will work (I've used both before).

However using a 10/8 static will use identity NAT whereas nat 0 ACL will do NAT exemption. I prefer to use NAT exemption because it's a bit neater and it won't show up in "sh xlate". If you're using identity NAT you can't see the wood for the trees when trying to get a quick view of all your current NATs.

Seeing as NAT exemption bypasses NAT all together perhaps it saves on system resources too???

Regards

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to JamesLuther

‎04-10-2009 05:45 AM

So, is it better for me to list all of my private networks into my dmz networks to keep from having to use statics?

access-list NONAT permit ip 10.125.0.0 255.255.0.0 10.45.136.0.0

access-list NONAT permit ip 10.125.0.0 255.255.0.0 10.45.137.0.0

access-list NONAT permit ip 10.125.0.0 255.255.0.0 10.45.138.0.0

access-list NONAT permit ip 172.20.0.0 255.255.0.0 10.45.135.0.0

etc?

I'll still need to nat 10.125.x.x and 172.x.x.x traffic to the internet, so I would need to specify what network not to nat to.

Thanks,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to John Blakley

‎04-10-2009 03:12 PM

John

You could specify all the inside networks if you wanted or you could just use the catch all 10.0.0.0/8 entry in your nat exemption acl's

access-list NONAT permit ip 10.0.0.0 255.0.0.0 10.45.136.0 255.255.255.0

etc...

"I'll still need to nat 10.125.x.x and 172.x.x.x traffic to the internet, so I would need to specify what network not to nat to."

Yes, that will be fine. Just setup NAT for this as you normally would ie.

nat (inside) 1 10.0.0.0 255.0.0.0

global (outside) 1 interface or

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card