05-15-2009 08:12 AM - edited 03-11-2019 08:32 AM
All,
If I have some networks:
10.125.0.0
10.126.0.0
10.127.0.0
10.128.0.0
10.129.0.0
10.130.0.0
Would it be "safe" to create statics like
static (inside,dmz1) 10.124.0.0 10.124.0.0 netmask 255.252.0.0
static (inside,dmz1) 10.128.0.0 10.128.0.0 netmask 255.252.0.0
Would this create too much processing on the ASA, or is this preferred over a line for each subnet?
Thanks,
John
05-15-2009 08:29 AM
John
You should be fine either way to be honest. In fact i have seen setups where they just use 10.0.0.0/8 even though they only have a subset of this on their network because they control access by acl's on the inside and outside interfaces.
Not recommending that though :-)
Jon
05-15-2009 08:35 AM
Jon,
We're doing our second phase test tomorrow. I have a lot of departments involved, but I made changes since the first phase. I had the original 10.0.0.0/8 static, but we were having flaky issues, so I created statics for the particular subnet that we were on. That seemed to work fine, but I decided that even better, I would just change to nat exemption. I've got the statics configured as a backup in case the nat exemptions don't seem to work.
My nat exemption looks like:
access-list NONAT permit ip 10.125.0.0 255.255.255.0 10.45.0.0 255.255.0.0
access-list NONAT permit ip 10.128.0.0 255.255.255.0 10.45.0.0 255.255.0.0
nat (inside) 0 access-list NONAT
My inside networks are 10.125 and 10.128, but I have several others, and the dmz interfaces are 10.45.x.x.
I don't think I'll have problems with the above, but just in case I have a static list set aside.
Does it look okay to you?
John
05-15-2009 08:56 AM
John
Should the NAT exemption acl not be using a 255.252.0.0 subnet mask as in your statics or are the actual networks 10.125.0/24 & 10.128.0/24 ?
Jon
05-15-2009 09:03 AM
I'm not summarizing in the acl like I was in the static. It's currently each subnet with /16 masks to cover all of the 10.125.x.x subnets instead of trying to cover 10.125, .126, .127, etc.
Overall, does the nat exemption look like it would work? I could summarize it looks like the nat exemption config looks like it would work. :-)
Thanks!
John
05-15-2009 09:10 AM
John
This is one of the most confusing conversations i've had with you :-)
You have in your acl
access-list NONAT permit ip 10.125.0.0 255.255.255.0 10.45.0.0 255.255.0.0
but you say you are using /16 to cover all 10.125.x.x subnets.
What am i missing ?
Jon
05-15-2009 09:13 AM
LOL! Ooops..... it was a typo:
access-list NONAT line 1 extended permit ip Subnet_10.125.0.0 255.255.0.0 10.45.0.0 255.255.0.0 (hitcnt=0) 0xdc7faead
access-list NONAT line 2 extended permit ip Subnet_10.128.0.0 255.255.0.0 10.45.0.0 255.255.0.0 (hitcnt=0) 0xb08b2a3b
name 10.125.0.0 Subnet_10.125.0.0
name 10.126.0.0 Subnet_10.126.0.0
name 10.127.0.0 Subnet_10.127.0.0
name 10.128.0.0 Subnet_10.128.0.0
LOL! Sorry :)
05-15-2009 09:15 AM
No problem, thought it was me.
Yes your NAT exemption acl's look fine.
Good luck with the change.
Jon
05-15-2009 09:17 AM
Good :) Thanks! I'll let you know on Monday. If everything goes well Saturday, we're going to leave it in permanently.
On a side note, the expect script worked great for clearing out the sessions. I do "clear local-host" and it clears the sessions out like expected, so that definitely worked for what I needed. (I hope you remember that conversation.) :)
Thanks Jon!
John
05-15-2009 09:21 AM
"On a side note, the expect script worked great for clearing out the sessions. I do "clear local-host" and it clears the sessions out like expected, so that definitely worked for what I needed. (I hope you remember that conversation.) :)"
Glad to hear it. I do remember as i have had to do that sort of thing so many times before in different jobs.
05-15-2009 09:29 AM
John
Last post missed off a load of stuff i had typed.
What i was going to say was that now you know how to automate things with Expect it's addictive. Soon you'll be thinking of all sorts of things you can write a script.
Word of warning though. When i was a unix admin one of my colleagues told a story about
an admin he used to know who got so into Expect he virtually automated his entire job to the point where he barely had to turn up to work. So the company decided they didn't need him anymore.
So best not to automate too much :-)
Jon
05-15-2009 11:00 AM
LOL! Good tip :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide