topic Question about netmask in 8.2 CLI ASA config in Network Security

Question about netmask in 8.2 CLI ASA config

adityan404 — Tue, 12 Mar 2019 07:38:35 GMT

Hello,

I am having trouble understanding what the netmask in this particular global statement does. Is it dynamic NAT or just PAT? In other words, will the ASA translate the real ip addresses ( which is a network object group in this ACE, by the way) dynamically to the 6.0.0.0 subnet or is there an error in the rule and it should be netmask 255.255.255.255?

global (outside) 1 6.5.100.21 netmask 255.0.0.0

nat (outside) 1 access-list nat_outbound outside

Would really appreciate any help.

Thanks,

Adi

Based on the outside IP

Philip D'Ath — Thu, 21 Apr 2016 09:04:15 GMT

Based on the outside IP configuration of the ASA, would 6.5.100.21 be a reasonable address? If so, probably a typo.

Otherwise this ASA could only be used between internal networks where one network happened to use public IP addresses - internally.

Well, the outside interface

adityan404 — Fri, 22 Apr 2016 14:26:31 GMT

Well, the outside interface ip address falls in the 12.3.0.0 subnet. These are the relevant NAT statements.

global (outside) 1 6.5.x.x netmask 255.0.0.0

global (inside) 1 10.75.x.x netmask 255.255.255.255

nat (outside) 1 access-list outside_nat_outbound_1 outside (I had a typo in my question)

nat (inside) 1 access-list inside_nat_outbound

access-list outside_nat_outbound_1 extended permit ip "ipaddrA" 255.255.255.0 object-group objA

access-list outside_nat_outbound extended permit ip "ipaddrB" 255.255.255.0 object-group objA

Would you be able to explain the NAT rule action for the global(outside) statement?

Without having indepth

Marius Gunnerud — Fri, 22 Apr 2016 17:39:09 GMT

Without having indepth knowledge of your network and the exact subnet assigned to your outside network, I would say that this is a misconfiguration.

Right now your inside_nat_outbound access-list is being NATed to the 6.0.0.0/8 network. This is quite uncommon in my experience and usually only 1 public IP is needed for NAT. If the whole /8 network is available to you then this is a big waste of addresses in my opinion.

Please remember to select a correct answer and rate helpful posts

Thank you for your input. I

adityan404 — Fri, 22 Apr 2016 18:29:36 GMT

Thank you for your input. I think so too that this must be an error in the configuration but wanted to double-check anyways.