jennifer

thanks for answering , why this static is required if we have a route in the isp router ( external to firewall) and will know to send it to the

firewall . statics are put for the outside to inside (private) mapping and we dont have that scenario here

static (inside,outside) 199.X.X.11 199.X.X.11 netmask 255.255.255.255

The reason why we need a static NAT statement is because if the traffic is being initiated from low security level (outside) towards high security level

(inside), it is a requirement to have 2 things configured:

1) static NAT translation (whether it is an actual NAT translation, or just a translation to itself)

2) ACL applied on the outside interface to allow the traffic through.

hi jennifer,

so will the firewall do an arp for 199.X.X.11 though it doesnot belong to it and what mac will be sent to router or its like the router will never do any arp lookup for this address ?

No, it will not be ARPing for it since it is a routed interface. As you have advised, on the router there is route for the  199.X.X.11 ip address to point towards the ASA outside interface ip address. So base on that route, it will be routed towards the ASA outside interface. On the ASA, either 199.X.X.11 is in the same subnet as the ASA inside interface, or if it's not, you would need to configure route for 199.X.X.11 on the ASA to point to the correct next hop on the inside interface.

ok , i und'stand now !

So if the fw is having the inside ip interface 199.X.X.1 and 199.X.X.11 assigned to inside machine ip (gateway is inside i/f) so will a static translation to itself still reqd in fw ? and will the firewall still do arping for this ip during the inbound access

hi jennifer

any thoughts on this ?

If the fw is having the inside ip interface 199.X.X.1 and 199.X.X.11 assigned to inside machine ip (gateway is inside i/f) so will a static translation to itself still reqd in fw ? and will the firewall still arp for this ip during the inbound access

If you don't have any NAT statement at all in your configuration, then you can configure:

no nat-control

And this does not require any static NAT statement at all.

ok  , but here i am having multiple nat statements for outbound traffic with nat-control enabled , so considering this if you can let me know if static is still reqd in fw as below ? and if the firewall still arp for this ip for incoming traffic ?

static (private,public) 199.X.X.11 199.X.X.11

hi experts

anyone who can share views on this ?

There are a few options depending on what have been configured on the ASA itself.

With ASA, eventhough you are not actually translating the IP address from inside towards outside, you would still need to configure the static 1:1 NAT to itself. It will not translate the ip address, it's just a configuration that still needs to be configured as per the ASA design.

From your last post, you mention that you have a few NAT statements for outbound, hence the "no nat-control" will not take effect anymore for that interface where you have configured the NAT statements. Again depending on what the NAT statement actually says:

1) for the ip address 199.x.x.11, if you do not want to translate, you can configure "no nat-control". This will allow you to pass inbound traffic from outside to inside interface without any translation. However, for outbound traffic from 199.x.x.11 to the internet, if your NAT statement does cover that particular IP Address, it will be NATed to the IP Address configured in the "Global" command.

2) To be 100% sure that the 199.x.x.11 does not get NATed for both inbound and outbound traffic, then configure the static NAT statement to itself as advised earlier: "static (inside,outside) 199.x.x.11 199.x.x.11". Because static NAT takes precedence over NAT (dynamic NAT) statement.

Can you please advise the reason why you are reluctant to configure static NAT to itself? This is widely used, and a must to be configured if you don't disable nat-control and have nat statements.

The same is typically configured as well if you don't want to NAT traffic between inside interface and DMZ interface for example.

Eg: if your inside network is 10.10.10.0/24 and you don't want to NAT traffic between inside and DMZ, then you configure the following:

static (inside,DMZ) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

There are a few options depending on what have been configured on the ASA itself.

With ASA, eventhough you are not actually translating the IP address from inside towards outside, you would still need to configure the static 1:1 NAT to itself. It will not translate the ip address, it's just a configuration that still needs to be configured as per the ASA design.

From your last post, you mention that you have a few NAT statements for outbound, hence the "no nat-control" will not take effect anymore for that interface where you have configured the NAT statements. Again depending on what the NAT statement actually says:

1) for the ip address 199.x.x.11, if you do not want to translate, you can configure "no nat-control". This will allow you to pass inbound traffic from outside to inside interface without any translation. However, for outbound traffic from 199.x.x.11 to the internet, if your NAT statement does cover that particular IP Address, it will be NATed to the IP Address configured in the "Global" command.

2) To be 100% sure that the 199.x.x.11 does not get NATed for both inbound and outbound traffic, then configure the static NAT statement to itself as advised earlier: "static (inside,outside) 199.x.x.11 199.x.x.11". Because static NAT takes precedence over NAT (dynamic NAT) statement.

Can you please advise the reason why you are reluctant to configure static NAT to itself? This is widely used, and a must to be configured if you don't disable nat-control and have nat statements.

The same is typically configured as well if you don't want to NAT traffic between inside interface and DMZ interface for example.

Eg: if your inside network is 10.10.10.0/24 and you don't want to NAT traffic between inside and DMZ, then you configure the following:

static (inside,DMZ) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

Hi jennifer ,

thanks for reply , but why will nat-control have an affect on the static statement . As per your statement specifically for "inbound" access

"for the ip address 199.x.x.11, if you do not want to translate, you can configure "no nat-control". This will allow you to pass inbound traffic from outside to inside interface without any translation."

so whether i put "nat-control" or "no nat-control" , as per my thought static should be required from lower to higher security interface . why it is like that with the "no nat-control" , static is not required ? I am saying this as cisco guide says this :

Traffic identified by a static command is not affected.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1065667In the NAT Control and Static NAT section in the following guide it is mentioned "NAT control does not affect static NAT "

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html

There are a number of options depending on what you have on your current configuration as well as whether you need both inbound and outbound access from 199.x.x.11 not translated.

As I said earlier, the simplest way is to just configure the static 1:1 to itself, and you really don't have to worry about any other configuration within your existing config as that takes precedence over any other dynamic NAT statement.

You are correct, "nat-control" only affects nat statement, not static nat statement, however, if you have a nat statement in your existing configuration, the outbound traffic from 199.x.x.11 will be nated accordingly. Configuring static nat statement will confirm that both outbound and inbound traffic will not be translated.