Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5505 global outside rule

I'm new to cisco asa5505 config and management.  I appreciate any help on the following:

We have the following two lines on our asa config.

global (outside) 1 111.111.111.195-111.111.111.199

global (outside) 1 111.111.111.200

The way I understand it is that it is a dynamic rule and that every computer in our network will get any of the ip addresses listed above when going to the internet if they do not have a static NAT rule in place. 

My questions are:

1.-  Can I use a single ip instead of using a range?

2.-  When I remove the ip 111.111.111.200 from the config some computers cannot go to the internet while others can.  Is there a table that needs to be refreshed?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ASA5505 global outside rule

Hi,

The configuration you list is a Dynamic NAT with Dynamic PAT

What I mean is that you have a NAT pool that will allocate a single NAT IP address for a single host until it runs out. When the NAT Pool runs out it will start doing Dynamic PAT (Port Address Translation) to this single specified PAT address.

If we are talking about an actual production environment and you are using public IP addresses then I would suggest removing the Dynamic NAT (NAT Pool) and only leaving the Dynamic PAT. The reason for this is simply that its a waste of public IP addresses to allocate a single user a single public IP address unless we are talking about Static NAT for a single server hosting actual services.

So the configuration might look like this

global (outside) 1 111.111.111.200

And naturally also the "nat" command(s) required for the LAN interfaces of the ASA that specify the source addresses.

If you remove the Dynamic PAT address (the configuration above) and leave the Dynamic NAT (NAT Pool) configuration then clearing the translation table will not really provide you with much help. It just means that other hosts will get a public NAT IP address from the pool and then it will run out.  A Dynamic PAT translation will be enough for all your LAN users needs.

- Jouni

3 REPLIES

ASA5505 global outside rule

Hello Jose,

1) Yes you can, you can use as many as you want. In fact if you use just one you will be using PAT and you will be able to perform as many as 64,000 translations using ports of a single address.

2) The Xlate table

clear xlate

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
Super Bronze

ASA5505 global outside rule

Hi,

The configuration you list is a Dynamic NAT with Dynamic PAT

What I mean is that you have a NAT pool that will allocate a single NAT IP address for a single host until it runs out. When the NAT Pool runs out it will start doing Dynamic PAT (Port Address Translation) to this single specified PAT address.

If we are talking about an actual production environment and you are using public IP addresses then I would suggest removing the Dynamic NAT (NAT Pool) and only leaving the Dynamic PAT. The reason for this is simply that its a waste of public IP addresses to allocate a single user a single public IP address unless we are talking about Static NAT for a single server hosting actual services.

So the configuration might look like this

global (outside) 1 111.111.111.200

And naturally also the "nat" command(s) required for the LAN interfaces of the ASA that specify the source addresses.

If you remove the Dynamic PAT address (the configuration above) and leave the Dynamic NAT (NAT Pool) configuration then clearing the translation table will not really provide you with much help. It just means that other hosts will get a public NAT IP address from the pool and then it will run out.  A Dynamic PAT translation will be enough for all your LAN users needs.

- Jouni

New Member

ASA5505 global outside rule

Thanks for answeing.  Now I now what to do.

160
Views
0
Helpful
3
Replies