Summarization for statics?

Unanswered Question
May 15th, 2009
User Badges:
  • Purple, 4500 points or more

All,


If I have some networks:


10.125.0.0

10.126.0.0

10.127.0.0

10.128.0.0

10.129.0.0

10.130.0.0


Would it be "safe" to create statics like


static (inside,dmz1) 10.124.0.0 10.124.0.0 netmask 255.252.0.0

static (inside,dmz1) 10.128.0.0 10.128.0.0 netmask 255.252.0.0


Would this create too much processing on the ASA, or is this preferred over a line for each subnet?


Thanks,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Fri, 05/15/2009 - 08:29
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


You should be fine either way to be honest. In fact i have seen setups where they just use 10.0.0.0/8 even though they only have a subset of this on their network because they control access by acl's on the inside and outside interfaces.


Not recommending that though :-)


Jon

John Blakley Fri, 05/15/2009 - 08:35
User Badges:
  • Purple, 4500 points or more

Jon,


We're doing our second phase test tomorrow. I have a lot of departments involved, but I made changes since the first phase. I had the original 10.0.0.0/8 static, but we were having flaky issues, so I created statics for the particular subnet that we were on. That seemed to work fine, but I decided that even better, I would just change to nat exemption. I've got the statics configured as a backup in case the nat exemptions don't seem to work.


My nat exemption looks like:


access-list NONAT permit ip 10.125.0.0 255.255.255.0 10.45.0.0 255.255.0.0

access-list NONAT permit ip 10.128.0.0 255.255.255.0 10.45.0.0 255.255.0.0


nat (inside) 0 access-list NONAT



My inside networks are 10.125 and 10.128, but I have several others, and the dmz interfaces are 10.45.x.x.


I don't think I'll have problems with the above, but just in case I have a static list set aside.


Does it look okay to you?


John

Jon Marshall Fri, 05/15/2009 - 08:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Should the NAT exemption acl not be using a 255.252.0.0 subnet mask as in your statics or are the actual networks 10.125.0/24 & 10.128.0/24 ?


Jon

John Blakley Fri, 05/15/2009 - 09:03
User Badges:
  • Purple, 4500 points or more

I'm not summarizing in the acl like I was in the static. It's currently each subnet with /16 masks to cover all of the 10.125.x.x subnets instead of trying to cover 10.125, .126, .127, etc.


Overall, does the nat exemption look like it would work? I could summarize it looks like the nat exemption config looks like it would work. :-)


Thanks!

John

Jon Marshall Fri, 05/15/2009 - 09:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


This is one of the most confusing conversations i've had with you :-)


You have in your acl


access-list NONAT permit ip 10.125.0.0 255.255.255.0 10.45.0.0 255.255.0.0


but you say you are using /16 to cover all 10.125.x.x subnets.


What am i missing ?


Jon

John Blakley Fri, 05/15/2009 - 09:13
User Badges:
  • Purple, 4500 points or more

LOL! Ooops..... it was a typo:


access-list NONAT line 1 extended permit ip Subnet_10.125.0.0 255.255.0.0 10.45.0.0 255.255.0.0 (hitcnt=0) 0xdc7faead

access-list NONAT line 2 extended permit ip Subnet_10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0 (hitcnt=0) 0xb08b2a3b


name 10.125.0.0 Subnet_10.125.0.0

name 10.126.0.0 Subnet_10.126.0.0

name 10.127.0.0 Subnet_10.127.0.0

name 10.128.0.0 Subnet_10.128.0.0



LOL! Sorry :)


Jon Marshall Fri, 05/15/2009 - 09:15
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

No problem, thought it was me.


Yes your NAT exemption acl's look fine.


Good luck with the change.


Jon

John Blakley Fri, 05/15/2009 - 09:17
User Badges:
  • Purple, 4500 points or more

Good :) Thanks! I'll let you know on Monday. If everything goes well Saturday, we're going to leave it in permanently.


On a side note, the expect script worked great for clearing out the sessions. I do "clear local-host" and it clears the sessions out like expected, so that definitely worked for what I needed. (I hope you remember that conversation.) :)


Thanks Jon!

John

Jon Marshall Fri, 05/15/2009 - 09:21
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

"On a side note, the expect script worked great for clearing out the sessions. I do "clear local-host" and it clears the sessions out like expected, so that definitely worked for what I needed. (I hope you remember that conversation.) :)"


Glad to hear it. I do remember as i have had to do that sort of thing so many times before in different jobs.



Jon Marshall Fri, 05/15/2009 - 09:29
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Last post missed off a load of stuff i had typed.


What i was going to say was that now you know how to automate things with Expect it's addictive. Soon you'll be thinking of all sorts of things you can write a script.


Word of warning though. When i was a unix admin one of my colleagues told a story about

an admin he used to know who got so into Expect he virtually automated his entire job to the point where he barely had to turn up to work. So the company decided they didn't need him anymore.


So best not to automate too much :-)


Jon

Actions

This Discussion