Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1560
Views
0
Helpful
3
Replies

ASA5505 global outside rule

Go to solution
jsndvl1127
Level 1
Level 1

‎01-23-2014 01:05 PM - edited ‎03-11-2019 08:34 PM

I'm new to cisco asa5505 config and management.  I appreciate any help on the following:

We have the following two lines on our asa config.

global (outside) 1 111.111.111.195-111.111.111.199

global (outside) 1 111.111.111.200

The way I understand it is that it is a dynamic rule and that every computer in our network will get any of the ip addresses listed above when going to the internet if they do not have a static NAT rule in place. 

My questions are:

1.-  Can I use a single ip instead of using a range?

2.-  When I remove the ip 111.111.111.200 from the config some computers cannot go to the internet while others can.  Is there a table that needs to be refreshed?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-28-2014 12:00 AM

Hi,

The configuration you list is a Dynamic NAT with Dynamic PAT

What I mean is that you have a NAT pool that will allocate a single NAT IP address for a single host until it runs out. When the NAT Pool runs out it will start doing Dynamic PAT (Port Address Translation) to this single specified PAT address.

If we are talking about an actual production environment and you are using public IP addresses then I would suggest removing the Dynamic NAT (NAT Pool) and only leaving the Dynamic PAT. The reason for this is simply that its a waste of public IP addresses to allocate a single user a single public IP address unless we are talking about Static NAT for a single server hosting actual services.

So the configuration might look like this

global (outside) 1 111.111.111.200

And naturally also the "nat" command(s) required for the LAN interfaces of the ASA that specify the source addresses.

If you remove the Dynamic PAT address (the configuration above) and leave the Dynamic NAT (NAT Pool) configuration then clearing the translation table will not really provide you with much help. It just means that other hosts will get a public NAT IP address from the pool and then it will run out.  A Dynamic PAT translation will be enough for all your LAN users needs.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-27-2014 05:21 PM

Hello Jose,

1) Yes you can, you can use as many as you want. In fact if you use just one you will be using PAT and you will be able to perform as many as 64,000 translations using ports of a single address.

2) The Xlate table

clear xlate

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-28-2014 12:00 AM

Hi,

The configuration you list is a Dynamic NAT with Dynamic PAT

What I mean is that you have a NAT pool that will allocate a single NAT IP address for a single host until it runs out. When the NAT Pool runs out it will start doing Dynamic PAT (Port Address Translation) to this single specified PAT address.

If we are talking about an actual production environment and you are using public IP addresses then I would suggest removing the Dynamic NAT (NAT Pool) and only leaving the Dynamic PAT. The reason for this is simply that its a waste of public IP addresses to allocate a single user a single public IP address unless we are talking about Static NAT for a single server hosting actual services.

So the configuration might look like this

global (outside) 1 111.111.111.200

And naturally also the "nat" command(s) required for the LAN interfaces of the ASA that specify the source addresses.

If you remove the Dynamic PAT address (the configuration above) and leave the Dynamic NAT (NAT Pool) configuration then clearing the translation table will not really provide you with much help. It just means that other hosts will get a public NAT IP address from the pool and then it will run out.  A Dynamic PAT translation will be enough for all your LAN users needs.

- Jouni

0 Helpful

Go to solution
jsndvl1127
Level 1
Level 1

‎01-28-2014 05:14 AM

Thanks for answeing.  Now I now what to do.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card