Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PAT netmask

when PAT is defined what is the difference between using a netmask like 255.255.255.0 in global st.say like

global(outside) 1 10.80.11.1 netmask 255.255.255.0 and with out netmask global(outside) 1 10.80.11.1

3 REPLIES
Silver

Re: PAT netmask

global(outside) 1 10.80.11.1 netmask 255.255.255.0

The above will NAT over the first 253 IP addresses and the last IP address will be used for PAT

global(outside) 1 10.80.11.1

The above will PAT over this one IP address

Please rate if you find my post helpful,

Regards,

Bronze

Re: PAT netmask

Actually, that is not correct, according to the documentation.

From the command reference:

"

create a pool of mapped addresses for NAT, use the global command in global configuration mode. To remove the pool of addresses, use the no form of this command.

global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface}

no global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface} (Optional) Specifies the network mask for the mapped_ip. This mask does not specify a network when paired with the mapped_ip; rather, it specifies the subnet mask assigned to the mapped_ip when it is assigned to a host. If you want to configure a range of addresses, you need to specify mapped_ip-mapped_ip.

If you do not specify a mask, then the default mask for the address class is used."

Basically it sounds like it is the mask used for the mapped IP - not sure why it's needed.

--Jason

Silver

Re: PAT netmask

Hello Jason,

First I applogize for the inaccurate answer. You're right about what you posted before. I did some research as I understood the subnet mask is optional and used to specify the subnet mask of the mapped IP.

I have done some simulations using the two scenarios of Global NAT and the result would be the same incase you do specify or not the subnet mask with the global NAT.

This is because in either cases the default router of the ASA would reply to the request since the ip is within it's routing table.

Therefore, you can consider the netmask is almost useless,

I hope I could help,

Regards,

245
Views
0
Helpful
3
Replies
CreatePlease to create content