Static rules and Dynamic rules for the same networks

Unanswered Question
Nov 3rd, 2009
User Badges:

i am working at a customer site whom has an ASA appliance on either side of their DMZ. The inside perimeter ASA is first in the path from the inside networks into the dmz. Then you cross the outside perimeter ASA to get to the Internet.

The inside perimeter ASA has an interesting configuration. I see static statements for networks (ex. static (inside,outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0) and then they also have (ex. global (outside) 1 172.16.1.4-

nat (inside) 1 192.168.5.0 255.255.255.0


Is this not redundant? Wont the static statement always override the dynamic global/nat combo? Is it safe to delete the dynamic NAT translations that are already represented on the ASA by static statements?

Thanks

Kevin


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jon Marshall Tue, 11/03/2009 - 13:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


Yes i agree, the dynamic statement should be redundant. You could have both if you were doing policy NAT but if there are no acls attached to NAT statements then the statics should override the dynamic NAT.


Easiest way to check though is to look at the xlate table to see if there any of the dynamic translations in the table ie.


sh xlate


or


sh running config xlate


Jon

Kevin Melton Tue, 11/03/2009 - 13:13
User Badges:

check it out Jon


bhiasaip# sho xlate

15 in use, 188 most used

Global 206.248.224.1 Local 206.248.224.1

Global 192.168.10.0 Local 192.168.10.0

Global 192.168.11.0 Local 192.168.11.0

Global 10.20.0.0 Local 10.20.0.0

Global 192.168.3.0 Local 192.168.3.0

Global 192.168.12.0 Local 192.168.12.0

Global 192.168.6.0 Local 192.168.6.0

Global 192.168.14.0 Local 192.168.14.0

Global 192.168.4.0 Local 192.168.4.0

Global 172.16.1.0 Local 172.16.1.0

Global 172.16.1.5 Local 192.168.5.15

Global 192.168.50.0 Local 192.168.50.0

Global 192.168.5.0 Local 192.168.5.0

Global 198.100.100.0 Local 198.100.100.0

bhiasaip# sho xlate det

15 in use, 188 most used

Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,

r - portmap, s - static

NAT from inside:206.248.224.1 to outside:206.248.224.1 flags s

NAT from inside:192.168.10.0 to outside:192.168.10.0 flags s

NAT from inside:192.168.11.0 to outside:192.168.11.0 flags s

NAT from inside:10.20.0.0 to outside:10.20.0.0 flags s

NAT from inside:192.168.3.0 to outside:192.168.3.0 flags s

NAT from inside:192.168.12.0 to outside:192.168.12.0 flags s

NAT from inside:192.168.6.0 to outside:192.168.6.0 flags s

NAT from inside:192.168.14.0 to outside:192.168.14.0 flags s

NAT from inside:192.168.4.0 to outside:192.168.4.0 flags s

NAT from inside:172.16.1.0 to outside:172.16.1.0 flags s

NAT from inside:192.168.5.15 to outside:172.16.1.5 flags s

NAT from inside:192.168.50.0 to outside:192.168.50.0 flags s

NAT from inside:192.168.5.0 to outside:192.168.5.0 flags s

NAT from inside:198.100.100.0 to outside:198.100.100.0 flags s

bhiasaip#

Looks like they are all static. I am really wary about removing the NAT pools and something breaking however...

Jon Marshall Tue, 11/03/2009 - 13:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


"Looks like they are all static. I am really wary about removing the NAT pools and something breaking however..."


hmmm, not so sure ie.


Global 172.16.1.5 Local 192.168.5.15


what version of ASA software are you using ?


I wouldn't remove it based on the output above. Can ypou post the exact NAT statements off the ASA ?


Jon

Kevin Melton Wed, 11/04/2009 - 07:13
User Badges:

We are running 8.2.1.


Here are the NAT's


nat (inside) 1 172.16.1.0 255.255.255.0

nat (inside) 1 192.168.3.0 255.255.255.0

nat (inside) 1 192.168.5.0 255.255.255.0

nat (inside) 1 192.168.6.0 255.255.255.0

nat (inside) 1 192.168.8.0 255.255.255.0

nat (inside) 1 192.168.10.0 255.255.255.0

nat (inside) 1 192.168.11.0 255.255.255.0

nat (inside) 1 192.168.12.0 255.255.255.0

nat (inside) 1 192.168.14.0 255.255.255.0

nat (inside) 1 192.168.15.0 255.255.255.0

nat (inside) 1 198.100.100.0 255.255.255.0

Here are the statics


static (inside,outside) 206.248.224.1 206.248.224.1 netmask 255.255.255.255

static (inside,outside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

static (inside,outside) 192.168.11.0 192.168.11.0 netmask 255.255.255.0

static (inside,outside) 10.20.0.0 10.20.0.0 netmask 255.255.248.0

static (inside,outside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (inside,outside) 192.168.12.0 192.168.12.0 netmask 255.255.255.0

static (inside,outside) 192.168.6.0 192.168.6.0 netmask 255.255.255.0

static (inside,outside) 192.168.14.0 192.168.14.0 netmask 255.255.255.0

static (inside,outside) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (inside,outside) 172.16.1.5 192.168.5.15 netmask 255.255.255.255

static (inside,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (inside,outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

static (inside,outside) 198.100.100.0 198.100.100.0 netmask 255.255.255.0


thanks for your help on this.

Kevin

Actions

This Discussion