topic Re: Static rules and Dynamic rules for the same networks in Network Security

Static rules and Dynamic rules for the same networks

Kevin Melton — Mon, 11 Mar 2019 16:35:44 GMT

i am working at a customer site whom has an ASA appliance on either side of their DMZ. The inside perimeter ASA is first in the path from the inside networks into the dmz. Then you cross the outside perimeter ASA to get to the Internet.

The inside perimeter ASA has an interesting configuration. I see static statements for networks (ex. static (inside,outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0) and then they also have (ex. global (outside) 1 172.16.1.4-

nat (inside) 1 192.168.5.0 255.255.255.0

Is this not redundant? Wont the static statement always override the dynamic global/nat combo? Is it safe to delete the dynamic NAT translations that are already represented on the ASA by static statements?

Thanks

Kevin

Re: Static rules and Dynamic rules for the same networks

Jon Marshall — Tue, 03 Nov 2009 21:00:49 GMT

Kevin

Yes i agree, the dynamic statement should be redundant. You could have both if you were doing policy NAT but if there are no acls attached to NAT statements then the statics should override the dynamic NAT.

Easiest way to check though is to look at the xlate table to see if there any of the dynamic translations in the table ie.

sh xlate

sh running config xlate

Jon

Re: Static rules and Dynamic rules for the same networks

Kevin Melton — Tue, 03 Nov 2009 21:13:04 GMT

check it out Jon

bhiasaip# sho xlate

15 in use, 188 most used

Global 206.248.224.1 Local 206.248.224.1

Global 192.168.10.0 Local 192.168.10.0

Global 192.168.11.0 Local 192.168.11.0

Global 10.20.0.0 Local 10.20.0.0

Global 192.168.3.0 Local 192.168.3.0

Global 192.168.12.0 Local 192.168.12.0

Global 192.168.6.0 Local 192.168.6.0

Global 192.168.14.0 Local 192.168.14.0

Global 192.168.4.0 Local 192.168.4.0

Global 172.16.1.0 Local 172.16.1.0

Global 172.16.1.5 Local 192.168.5.15

Global 192.168.50.0 Local 192.168.50.0

Global 192.168.5.0 Local 192.168.5.0

Global 198.100.100.0 Local 198.100.100.0

bhiasaip# sho xlate det

15 in use, 188 most used

Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,

r - portmap, s - static

NAT from inside:206.248.224.1 to outside:206.248.224.1 flags s

NAT from inside:192.168.10.0 to outside:192.168.10.0 flags s

NAT from inside:192.168.11.0 to outside:192.168.11.0 flags s

NAT from inside:10.20.0.0 to outside:10.20.0.0 flags s

NAT from inside:192.168.3.0 to outside:192.168.3.0 flags s

NAT from inside:192.168.12.0 to outside:192.168.12.0 flags s

NAT from inside:192.168.6.0 to outside:192.168.6.0 flags s

NAT from inside:192.168.14.0 to outside:192.168.14.0 flags s

NAT from inside:192.168.4.0 to outside:192.168.4.0 flags s

NAT from inside:172.16.1.0 to outside:172.16.1.0 flags s

NAT from inside:192.168.5.15 to outside:172.16.1.5 flags s

NAT from inside:192.168.50.0 to outside:192.168.50.0 flags s

NAT from inside:192.168.5.0 to outside:192.168.5.0 flags s

NAT from inside:198.100.100.0 to outside:198.100.100.0 flags s

bhiasaip#

Looks like they are all static. I am really wary about removing the NAT pools and something breaking however...

Re: Static rules and Dynamic rules for the same networks

Jon Marshall — Tue, 03 Nov 2009 21:20:42 GMT

Kevin

"Looks like they are all static. I am really wary about removing the NAT pools and something breaking however..."

hmmm, not so sure ie.

Global 172.16.1.5 Local 192.168.5.15

what version of ASA software are you using ?

I wouldn't remove it based on the output above. Can ypou post the exact NAT statements off the ASA ?

Jon

Re: Static rules and Dynamic rules for the same networks

Kevin Melton — Wed, 04 Nov 2009 15:13:15 GMT

We are running 8.2.1.

Here are the NAT's

nat (inside) 1 172.16.1.0 255.255.255.0

nat (inside) 1 192.168.3.0 255.255.255.0

nat (inside) 1 192.168.5.0 255.255.255.0

nat (inside) 1 192.168.6.0 255.255.255.0

nat (inside) 1 192.168.8.0 255.255.255.0

nat (inside) 1 192.168.10.0 255.255.255.0

nat (inside) 1 192.168.11.0 255.255.255.0

nat (inside) 1 192.168.12.0 255.255.255.0

nat (inside) 1 192.168.14.0 255.255.255.0

nat (inside) 1 192.168.15.0 255.255.255.0

nat (inside) 1 198.100.100.0 255.255.255.0

Here are the statics

static (inside,outside) 206.248.224.1 206.248.224.1 netmask 255.255.255.255

static (inside,outside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

static (inside,outside) 192.168.11.0 192.168.11.0 netmask 255.255.255.0

static (inside,outside) 10.20.0.0 10.20.0.0 netmask 255.255.248.0

static (inside,outside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (inside,outside) 192.168.12.0 192.168.12.0 netmask 255.255.255.0

static (inside,outside) 192.168.6.0 192.168.6.0 netmask 255.255.255.0

static (inside,outside) 192.168.14.0 192.168.14.0 netmask 255.255.255.0

static (inside,outside) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (inside,outside) 172.16.1.5 192.168.5.15 netmask 255.255.255.255

static (inside,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (inside,outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

static (inside,outside) 198.100.100.0 198.100.100.0 netmask 255.255.255.0

thanks for your help on this.

Kevin