Summarization for statics?

Unanswered Question
May 15th, 2009

All,

If I have some networks:

10.125.0.0

10.126.0.0

10.127.0.0

10.128.0.0

10.129.0.0

10.130.0.0

Would it be "safe" to create statics like

static (inside,dmz1) 10.124.0.0 10.124.0.0 netmask 255.252.0.0

static (inside,dmz1) 10.128.0.0 10.128.0.0 netmask 255.252.0.0

Would this create too much processing on the ASA, or is this preferred over a line for each subnet?

Thanks,

John

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Fri, 05/15/2009 - 08:29

John

You should be fine either way to be honest. In fact i have seen setups where they just use 10.0.0.0/8 even though they only have a subset of this on their network because they control access by acl's on the inside and outside interfaces.

Not recommending that though :-)

Jon

John Blakley Fri, 05/15/2009 - 08:35

Jon,

We're doing our second phase test tomorrow. I have a lot of departments involved, but I made changes since the first phase. I had the original 10.0.0.0/8 static, but we were having flaky issues, so I created statics for the particular subnet that we were on. That seemed to work fine, but I decided that even better, I would just change to nat exemption. I've got the statics configured as a backup in case the nat exemptions don't seem to work.

My nat exemption looks like:

access-list NONAT permit ip 10.125.0.0 255.255.255.0 10.45.0.0 255.255.0.0

access-list NONAT permit ip 10.128.0.0 255.255.255.0 10.45.0.0 255.255.0.0

nat (inside) 0 access-list NONAT

My inside networks are 10.125 and 10.128, but I have several others, and the dmz interfaces are 10.45.x.x.

I don't think I'll have problems with the above, but just in case I have a static list set aside.

Does it look okay to you?

John

Jon Marshall Fri, 05/15/2009 - 08:56

John

Should the NAT exemption acl not be using a 255.252.0.0 subnet mask as in your statics or are the actual networks 10.125.0/24 & 10.128.0/24 ?

Jon

John Blakley Fri, 05/15/2009 - 09:03

I'm not summarizing in the acl like I was in the static. It's currently each subnet with /16 masks to cover all of the 10.125.x.x subnets instead of trying to cover 10.125, .126, .127, etc.

Overall, does the nat exemption look like it would work? I could summarize it looks like the nat exemption config looks like it would work. :-)

Thanks!

John

Jon Marshall Fri, 05/15/2009 - 09:10

John

This is one of the most confusing conversations i've had with you :-)

You have in your acl

access-list NONAT permit ip 10.125.0.0 255.255.255.0 10.45.0.0 255.255.0.0

but you say you are using /16 to cover all 10.125.x.x subnets.

What am i missing ?

Jon

John Blakley Fri, 05/15/2009 - 09:13

LOL! Ooops..... it was a typo:

access-list NONAT line 1 extended permit ip Subnet_10.125.0.0 255.255.0.0 10.45.0.0 255.255.0.0 (hitcnt=0) 0xdc7faead

access-list NONAT line 2 extended permit ip Subnet_10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0 (hitcnt=0) 0xb08b2a3b

name 10.125.0.0 Subnet_10.125.0.0

name 10.126.0.0 Subnet_10.126.0.0

name 10.127.0.0 Subnet_10.127.0.0

name 10.128.0.0 Subnet_10.128.0.0

LOL! Sorry :)

Jon Marshall Fri, 05/15/2009 - 09:15

No problem, thought it was me.

Yes your NAT exemption acl's look fine.

Good luck with the change.

Jon

John Blakley Fri, 05/15/2009 - 09:17

Good :) Thanks! I'll let you know on Monday. If everything goes well Saturday, we're going to leave it in permanently.

On a side note, the expect script worked great for clearing out the sessions. I do "clear local-host" and it clears the sessions out like expected, so that definitely worked for what I needed. (I hope you remember that conversation.) :)

Thanks Jon!

John

Jon Marshall Fri, 05/15/2009 - 09:21

"On a side note, the expect script worked great for clearing out the sessions. I do "clear local-host" and it clears the sessions out like expected, so that definitely worked for what I needed. (I hope you remember that conversation.) :)"

Glad to hear it. I do remember as i have had to do that sort of thing so many times before in different jobs.

Jon Marshall Fri, 05/15/2009 - 09:29

John

Last post missed off a load of stuff i had typed.

What i was going to say was that now you know how to automate things with Expect it's addictive. Soon you'll be thinking of all sorts of things you can write a script.

Word of warning though. When i was a unix admin one of my colleagues told a story about

an admin he used to know who got so into Expect he virtually automated his entire job to the point where he barely had to turn up to work. So the company decided they didn't need him anymore.

So best not to automate too much :-)

Jon

Actions

This Discussion