Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static rules and Dynamic rules for the same networks

i am working at a customer site whom has an ASA appliance on either side of their DMZ. The inside perimeter ASA is first in the path from the inside networks into the dmz. Then you cross the outside perimeter ASA to get to the Internet.

The inside perimeter ASA has an interesting configuration. I see static statements for networks (ex. static (inside,outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0) and then they also have (ex. global (outside) 1 172.16.1.4-

nat (inside) 1 192.168.5.0 255.255.255.0

Is this not redundant? Wont the static statement always override the dynamic global/nat combo? Is it safe to delete the dynamic NAT translations that are already represented on the ASA by static statements?

Thanks

Kevin

4 REPLIES
Hall of Fame Super Blue

Re: Static rules and Dynamic rules for the same networks

Kevin

Yes i agree, the dynamic statement should be redundant. You could have both if you were doing policy NAT but if there are no acls attached to NAT statements then the statics should override the dynamic NAT.

Easiest way to check though is to look at the xlate table to see if there any of the dynamic translations in the table ie.

sh xlate

or

sh running config xlate

Jon

New Member

Re: Static rules and Dynamic rules for the same networks

check it out Jon

bhiasaip# sho xlate

15 in use, 188 most used

Global 206.248.224.1 Local 206.248.224.1

Global 192.168.10.0 Local 192.168.10.0

Global 192.168.11.0 Local 192.168.11.0

Global 10.20.0.0 Local 10.20.0.0

Global 192.168.3.0 Local 192.168.3.0

Global 192.168.12.0 Local 192.168.12.0

Global 192.168.6.0 Local 192.168.6.0

Global 192.168.14.0 Local 192.168.14.0

Global 192.168.4.0 Local 192.168.4.0

Global 172.16.1.0 Local 172.16.1.0

Global 172.16.1.5 Local 192.168.5.15

Global 192.168.50.0 Local 192.168.50.0

Global 192.168.5.0 Local 192.168.5.0

Global 198.100.100.0 Local 198.100.100.0

bhiasaip# sho xlate det

15 in use, 188 most used

Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,

r - portmap, s - static

NAT from inside:206.248.224.1 to outside:206.248.224.1 flags s

NAT from inside:192.168.10.0 to outside:192.168.10.0 flags s

NAT from inside:192.168.11.0 to outside:192.168.11.0 flags s

NAT from inside:10.20.0.0 to outside:10.20.0.0 flags s

NAT from inside:192.168.3.0 to outside:192.168.3.0 flags s

NAT from inside:192.168.12.0 to outside:192.168.12.0 flags s

NAT from inside:192.168.6.0 to outside:192.168.6.0 flags s

NAT from inside:192.168.14.0 to outside:192.168.14.0 flags s

NAT from inside:192.168.4.0 to outside:192.168.4.0 flags s

NAT from inside:172.16.1.0 to outside:172.16.1.0 flags s

NAT from inside:192.168.5.15 to outside:172.16.1.5 flags s

NAT from inside:192.168.50.0 to outside:192.168.50.0 flags s

NAT from inside:192.168.5.0 to outside:192.168.5.0 flags s

NAT from inside:198.100.100.0 to outside:198.100.100.0 flags s

bhiasaip#

Looks like they are all static. I am really wary about removing the NAT pools and something breaking however...

Hall of Fame Super Blue

Re: Static rules and Dynamic rules for the same networks

Kevin

"Looks like they are all static. I am really wary about removing the NAT pools and something breaking however..."

hmmm, not so sure ie.

Global 172.16.1.5 Local 192.168.5.15

what version of ASA software are you using ?

I wouldn't remove it based on the output above. Can ypou post the exact NAT statements off the ASA ?

Jon

New Member

Re: Static rules and Dynamic rules for the same networks

We are running 8.2.1.

Here are the NAT's

nat (inside) 1 172.16.1.0 255.255.255.0

nat (inside) 1 192.168.3.0 255.255.255.0

nat (inside) 1 192.168.5.0 255.255.255.0

nat (inside) 1 192.168.6.0 255.255.255.0

nat (inside) 1 192.168.8.0 255.255.255.0

nat (inside) 1 192.168.10.0 255.255.255.0

nat (inside) 1 192.168.11.0 255.255.255.0

nat (inside) 1 192.168.12.0 255.255.255.0

nat (inside) 1 192.168.14.0 255.255.255.0

nat (inside) 1 192.168.15.0 255.255.255.0

nat (inside) 1 198.100.100.0 255.255.255.0

Here are the statics

static (inside,outside) 206.248.224.1 206.248.224.1 netmask 255.255.255.255

static (inside,outside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

static (inside,outside) 192.168.11.0 192.168.11.0 netmask 255.255.255.0

static (inside,outside) 10.20.0.0 10.20.0.0 netmask 255.255.248.0

static (inside,outside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (inside,outside) 192.168.12.0 192.168.12.0 netmask 255.255.255.0

static (inside,outside) 192.168.6.0 192.168.6.0 netmask 255.255.255.0

static (inside,outside) 192.168.14.0 192.168.14.0 netmask 255.255.255.0

static (inside,outside) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (inside,outside) 172.16.1.5 192.168.5.15 netmask 255.255.255.255

static (inside,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (inside,outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

static (inside,outside) 198.100.100.0 198.100.100.0 netmask 255.255.255.0

thanks for your help on this.

Kevin

130
Views
4
Helpful
4
Replies