Static rules and Dynamic rules for the same networks
i am working at a customer site whom has an ASA appliance on either side of their DMZ. The inside perimeter ASA is first in the path from the inside networks into the dmz. Then you cross the outside perimeter ASA to get to the Internet.
The inside perimeter ASA has an interesting configuration. I see static statements for networks (ex. static (inside,outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0) and then they also have (ex. global (outside) 1 172.16.1.4-
nat (inside) 1 192.168.5.0 255.255.255.0
Is this not redundant? Wont the static statement always override the dynamic global/nat combo? Is it safe to delete the dynamic NAT translations that are already represented on the ASA by static statements?
Re: Static rules and Dynamic rules for the same networks
Yes i agree, the dynamic statement should be redundant. You could have both if you were doing policy NAT but if there are no acls attached to NAT statements then the statics should override the dynamic NAT.
Easiest way to check though is to look at the xlate table to see if there any of the dynamic translations in the table ie.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...