topic Re: Pix Output Analysis Question II in Network Security

Pix Output Analysis Question II

Thomas Reiling — Mon, 11 Mar 2019 19:38:08 GMT

I ran the Output Interpreter on our 506e and got the following:

WARNING: The IP address, 6x.172.214.193, of the 'outside' interface overlaps with

the static defined by:

'static (inside, outside) 10.2.28.0 10.2.28.0 netmask 255.255.255.255'.

Can someone please tell me what this means exactly and how I might resolve it?

Thank you,

Thomas

Re: Pix Output Analysis Question II

Federico Coto Fajardo — Thu, 20 Jan 2011 22:15:45 GMT

Hi,

Are you sure you're getting that exact error?

I replied to your original request because the IP was overlapping, however that's not the case with this static statement.

Additionally unless the outside of the PIX has a private segment, you shouldn't do identity NAT for the inside LAN because it cannot be NATed to the Internet then.

Federico.

Re: Pix Output Analysis Question II

Thomas Reiling — Thu, 20 Jan 2011 22:19:32 GMT

Federico,

That's the exact WARNING: from the Output Interpreter. It's a different error than the first one you helped me with.

I'm not sure what you mean here "you shouldn't do identity NAT for the inside LAN because it cannot be NATed to the Internet then."

Thank you,

Thomas

Re: Pix Output Analysis Question II

Federico Coto Fajardo — Thu, 20 Jan 2011 22:25:40 GMT

I don't think its an accurate error message.

What I'm saying is that you have the LAN with a private IP address (inside), then you have the outside with a public IP...

In this way the ASA can NAT and provide Internet access to the LAN...

If you do the static mentioned, then the ASA will not NAT the traffic but instead will keep the same IP addressing scheme for the inside network (the inside network will not have Internet then because it's not going to be translated to a public IP).

My question will be... what's the purpose of having that static you defined on the configuration?

Federico.

Re: Pix Output Analysis Question II

Thomas Reiling — Thu, 20 Jan 2011 22:40:57 GMT

Federico,

That's what I mean. I think it's bad configuration and was considering removing that line. But I was wondering why the Output Interpreter thought that 6x.172.214.193 was overlapping 10.2.28.0 10.2.28.0 in the static statement. How could they be overlapping if they're not even the same subnet? 10.2.28.0 is our subnet address by the way.

I took over this network and I'm trying to sort it all out.

Thank you,

Thomas

Re: Pix Output Analysis Question II

Kureli Sankar — Fri, 21 Jan 2011 04:57:29 GMT

Why is the mask /32 bit on the static statement? Is this a host address? 10.2.28.0? or should the mask be 255.255.255.0?

'static (inside, outside) 10.2.28.0 10.2.28.0 netmask 255.255.255.255'.

Are you seeing this under ASDM? Looks very similar to a defect that I filed a while ago.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsm15806

Resolved in the latest ASDM.

Symptom:

ASDM incorrectly says "IP Address conflicts with interface broadcast address." while trying to add an snmp-server IP address.

Conditions:

This was first observed in ASA running 8.0.2 and ASDM 6.0.2

Workaround:

Use CLI to add the snmp-server

Further Problem Description:

If the interface is configured with a 30 bit mask and if you try to add any other IP belonging to other subnet which would be a broad cast address if applied a 30 bit mask that is applied on the interface address, then ASDM will throw an error that says "IP Address conflicts with interface broadcast address."

Example:
interface Ethernet0/3
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.252 

Try to add 172.30.1.143 as snmp-server using ASDM and you will see the error.

-KS