Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
3
Replies

PAT netmask

aksher
Level 1
Level 1

‎10-31-2006 01:20 PM - edited ‎03-09-2019 04:44 PM

when PAT is defined what is the difference between using a netmask like 255.255.255.0 in global st.say like

global(outside) 1 10.80.11.1 netmask 255.255.255.0 and with out netmask global(outside) 1 10.80.11.1

Labels:
0 Helpful
3 Replies 3

m-haddad
Level 5
Level 5

‎10-31-2006 01:47 PM

global(outside) 1 10.80.11.1 netmask 255.255.255.0

The above will NAT over the first 253 IP addresses and the last IP address will be used for PAT

global(outside) 1 10.80.11.1

The above will PAT over this one IP address

Please rate if you find my post helpful,

Regards,

0 Helpful

jgervia_2
Level 1
Level 1
In response to m-haddad

‎10-31-2006 02:12 PM

Actually, that is not correct, according to the documentation.

From the command reference:

"

create a pool of mapped addresses for NAT, use the global command in global configuration mode. To remove the pool of addresses, use the no form of this command.

global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface}

no global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface} (Optional) Specifies the network mask for the mapped_ip. This mask does not specify a network when paired with the mapped_ip; rather, it specifies the subnet mask assigned to the mapped_ip when it is assigned to a host. If you want to configure a range of addresses, you need to specify mapped_ip-mapped_ip.

If you do not specify a mask, then the default mask for the address class is used."

Basically it sounds like it is the mask used for the mapped IP - not sure why it's needed.

--Jason

0 Helpful

m-haddad
Level 5
Level 5
In response to jgervia_2

‎11-01-2006 11:46 AM

Hello Jason,

First I applogize for the inaccurate answer. You're right about what you posted before. I did some research as I understood the subnet mask is optional and used to specify the subnet mask of the mapped IP.

I have done some simulations using the two scenarios of Global NAT and the result would be the same incase you do specify or not the subnet mask with the global NAT.

This is because in either cases the default router of the ASA would reply to the request since the ip is within it's routing table.

Therefore, you can consider the netmask is almost useless,

I hope I could help,

Regards,

0 Helpful
Customers Also Viewed These Support Documents