Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2044
Views
10
Helpful
7
Replies

function of netmask cmd in ASA global NAT statement....

Go to solution
will
Level 3
Level 3

‎10-02-2012 11:15 AM - edited ‎03-11-2019 05:03 PM

Hi, very simple question. What is the difference in the following three command sets on ASA 8.2 OS. All command are same but the netmask in the global command is changed in three different ways. Goal is simply to let all inside address NAT to internet (OUTSIDE). thx in advance! Will

interface GigabitEthernet0/0

nameif OUTSIDE

ip address 1.1.1.1 255.255.255.0

!

global (OUTSIDE) 10 1.1.1.2 netmask 255.255.255.255

!

nat (INSIDE) 10 0.0.0.0 0.0.0.0

!

!==============================

!

interface GigabitEthernet0/0

nameif OUTSIDE

ip address 1.1.1.1 255.255.255.0

!

global (OUTSIDE) 10 1.1.1.2 netmask 255.255.255.0

!

nat (INSIDE) 10 0.0.0.0 0.0.0.0

!

!==============================

!

interface GigabitEthernet0/0

nameif OUTSIDE

ip address 1.1.1.1 255.255.255.0

!

global (OUTSIDE) 10 1.1.1.2 netmask 255.0.0.0

!

nat (INSIDE) 10 0.0.0.0 0.0.0.0

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to will

‎10-02-2012 03:28 PM

Hello Will,

It does what you are asking:

"netmask 255.255.255.0 tells asa to use all ip's in that class C as global addresses for xlates"


The 'netmask' option at the end of the global statement is only applicable for a global NAT pool, and not global PAT address.
 When the netmask is specified, the ASA determines what the network and broadcast IPs are, for that network, and if they are included in the global pool, it will not use them.
Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to will

‎10-02-2012 03:57 PM

Hello Will,

That's it.

here is the final comment:

If the ASA determines that you have the same amount of IP's on both Nat and Global then it will perform a dedicated translation one ip to one ip if not it will perform a PAT.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

7 Replies 7

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-02-2012 12:35 PM

Hello Will,

The netmask will identify how many host you are supposed to use for the NAT

nat (inside) 10.0.0.0 netmask 255.255.255.0

Means you will nat the 10.0.0.0/24

Nat  (1nside) netmask 10.0.1.2 255.255.255.255

Means you will nat only the 10.0.1.2 host

And that's it!

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
will
Level 3
Level 3
In response to Julio Carvajal

‎10-02-2012 12:51 PM

Hi, i think you got the wrong config line. I understand that piece. I am talking about the netmask after the global command:

global (OUTSIDE) 10 1.1.1.2 netmask 255.0.0.0

not the one for the host inside scope/definition.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to will

‎10-02-2012 01:43 PM

Hello,

No, I got what I need it..

Nat or global the function of the netsmak is the sameone.

Define what is the network portion of a host or network  that needs to be translated or the network portion of a global ip or global ip network range.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
will
Level 3
Level 3
In response to Julio Carvajal

‎10-02-2012 02:18 PM

well... thats the confusing part. if i configure:

     global (OUTSIDE) 10 1.1.1.2 netmask 255.255.255.255

and sh xlates, then I see just all internal IP's xlated to 1.1.1.2

if i change config to:

     global (OUTSIDE) 10 1.1.1.2 netmask 255.255.255.0

i dont see internal IP's xlated to 1.1.1.2/.3./4/.5/.6/.7, etc....

I still just see xlates to 1.1.1.2.

Perhaps the environment has to be busy and we run our of high-end socket ports (1024-65535) before I can see that?

So I am still confused, I dont think global (OUTSIDE) 10 1.1.1.2 netmask 255.255.255.0 tells asa to use all ip's in that class C as global addresses for xlates. it does something else, what is that?

thx,

Will

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to will

‎10-02-2012 03:28 PM

Hello Will,

It does what you are asking:

"netmask 255.255.255.0 tells asa to use all ip's in that class C as global addresses for xlates"


The 'netmask' option at the end of the global statement is only applicable for a global NAT pool, and not global PAT address.
 When the netmask is specified, the ASA determines what the network and broadcast IPs are, for that network, and if they are included in the global pool, it will not use them.
Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
will
Level 3
Level 3
In response to will

‎10-02-2012 03:42 PM

okay, so with a single address configured, ASA must assume its a PAT, rather than a NAT. if I configured a NAT, i would need to do something like:

global (OUTSIDE) 10 1.1.1.2-3 netmask 255.255.255.0

In this case, the logic would say only use .2 and .3, not the whole class C. I think there are several things going on, all of which aren't explained well in the cisco cfg guide:

1) If a single address is configured on a global, then ASA must have internal logic saying always do a PAT.

2) If two or more address configured on a global, then ASA has logi that states do a NAT for this. However, you will run out after just X number IP's. This is not clearly stated in the cfg guide.

3) If you do option 2, and configure a netmask, and the network and broadcast addresses are in your pool, then by virtue of having the netmask there, ASA will exclude those two address from pool if you ahve been too stupid to include them in your pool. For example:

global (OUTSIDE) 10 1.1.1.0-255 netmask 255.255.255.0

is a stupid way to configure, but ASA lets me??? better way is

global (OUTSIDE) 10 1.1.1.1-254 netmask 255.255.255.0

4) As a side note, ASA allows me to put in a netmask command on a global PAT configuration (1 unique IP), but this is in essence not necessary as well, because with 1 IP address in global, ASA will never do NAT, just always does PAT?? So the fact that it lets me put in netmask for single ip is kind of dumb - maybe some type of protection against NAT misconfiguration for just 1 IP?

Does that summarize it?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to will

‎10-02-2012 03:57 PM

Hello Will,

That's it.

here is the final comment:

If the ASA determines that you have the same amount of IP's on both Nat and Global then it will perform a dedicated translation one ip to one ip if not it will perform a PAT.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card