Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASA Static translation - will this be a problem?

My DMZ is 10.45.136.0, 10.45.137.0, and 10.45.138.0.

My inside is 10.0.0.0.

Will I have a problem if I have my static nat stated as:

static (inside,dmz1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

Or will this work in translating everything correctly? I'm trying to figure out if I should create static nat for every subnet I truly do have instead of trying to combine all of them in one.

Thanks,

John

HTH, John *** Please rate all useful posts ***
4 REPLIES
Hall of Fame Super Blue

Re: ASA Static translation - will this be a problem?

John

From memory i think you should be fine with this. However if it doesn't work then you could do

access-list in_to_dmz permit ip any 10.145.136.0 255.255.255.0

access-list in_to_dmz permit ip any 10.145.137.0 255.255.255.0

access-list in_to_dmz permit ip any 10.145.138.0 255.255.255.0

nat (inside) 0 access-list in_to_dmz

Jon

Bronze

Re: ASA Static translation - will this be a problem?

Hi John/John,

Both of your methods will work (I've used both before).

However using a 10/8 static will use identity NAT whereas nat 0 ACL will do NAT exemption. I prefer to use NAT exemption because it's a bit neater and it won't show up in "sh xlate". If you're using identity NAT you can't see the wood for the trees when trying to get a quick view of all your current NATs.

Seeing as NAT exemption bypasses NAT all together perhaps it saves on system resources too???

Regards

Re: ASA Static translation - will this be a problem?

So, is it better for me to list all of my private networks into my dmz networks to keep from having to use statics?

access-list NONAT permit ip 10.125.0.0 255.255.0.0 10.45.136.0.0

access-list NONAT permit ip 10.125.0.0 255.255.0.0 10.45.137.0.0

access-list NONAT permit ip 10.125.0.0 255.255.0.0 10.45.138.0.0

access-list NONAT permit ip 172.20.0.0 255.255.0.0 10.45.135.0.0

etc?

I'll still need to nat 10.125.x.x and 172.x.x.x traffic to the internet, so I would need to specify what network not to nat to.

Thanks,

John

HTH, John *** Please rate all useful posts ***
Hall of Fame Super Blue

Re: ASA Static translation - will this be a problem?

John

You could specify all the inside networks if you wanted or you could just use the catch all 10.0.0.0/8 entry in your nat exemption acl's

access-list NONAT permit ip 10.0.0.0 255.0.0.0 10.45.136.0 255.255.255.0

etc...

"I'll still need to nat 10.125.x.x and 172.x.x.x traffic to the internet, so I would need to specify what network not to nat to."

Yes, that will be fine. Just setup NAT for this as you normally would ie.

nat (inside) 1 10.0.0.0 255.0.0.0

global (outside) 1 interface or

Jon

202
Views
0
Helpful
4
Replies