10-02-2012 11:15 AM - edited 03-11-2019 05:03 PM
Hi, very simple question. What is the difference in the following three command sets on ASA 8.2 OS. All command are same but the netmask in the global command is changed in three different ways. Goal is simply to let all inside address NAT to internet (OUTSIDE). thx in advance! Will
interface GigabitEthernet0/0
nameif OUTSIDE
ip address 1.1.1.1 255.255.255.0
!
global (OUTSIDE) 10 1.1.1.2 netmask 255.255.255.255
!
nat (INSIDE) 10 0.0.0.0 0.0.0.0
!
!==============================
!
interface GigabitEthernet0/0
nameif OUTSIDE
ip address 1.1.1.1 255.255.255.0
!
global (OUTSIDE) 10 1.1.1.2 netmask 255.255.255.0
!
nat (INSIDE) 10 0.0.0.0 0.0.0.0
!
!==============================
!
interface GigabitEthernet0/0
nameif OUTSIDE
ip address 1.1.1.1 255.255.255.0
!
global (OUTSIDE) 10 1.1.1.2 netmask 255.0.0.0
!
nat (INSIDE) 10 0.0.0.0 0.0.0.0
Solved! Go to Solution.
10-02-2012 03:28 PM
Hello Will,
It does what you are asking:
"netmask 255.255.255.0 tells asa to use all ip's in that class C as global addresses for xlates"
The 'netmask' option at the end of the global statement is only applicable for a global NAT pool, and not global PAT address. When the netmask is specified, the ASA determines what the network and broadcast IPs are, for that network, and if they are included in the global pool, it will not use them.
10-02-2012 03:57 PM
Hello Will,
That's it.
here is the final comment:
If the ASA determines that you have the same amount of IP's on both Nat and Global then it will perform a dedicated translation one ip to one ip if not it will perform a PAT.
10-02-2012 12:35 PM
Hello Will,
The netmask will identify how many host you are supposed to use for the NAT
nat (inside) 10.0.0.0 netmask 255.255.255.0
Means you will nat the 10.0.0.0/24
Nat (1nside) netmask 10.0.1.2 255.255.255.255
Means you will nat only the 10.0.1.2 host
And that's it!
Regards
10-02-2012 12:51 PM
Hi, i think you got the wrong config line. I understand that piece. I am talking about the netmask after the global command:
global (OUTSIDE) 10 1.1.1.2 netmask 255.0.0.0
not the one for the host inside scope/definition.
10-02-2012 01:43 PM
Hello,
No, I got what I need it..
Nat or global the function of the netsmak is the sameone.
Define what is the network portion of a host or network that needs to be translated or the network portion of a global ip or global ip network range.
10-02-2012 02:18 PM
well... thats the confusing part. if i configure:
global (OUTSIDE) 10 1.1.1.2 netmask 255.255.255.255
and sh xlates, then I see just all internal IP's xlated to 1.1.1.2
if i change config to:
global (OUTSIDE) 10 1.1.1.2 netmask 255.255.255.0
i dont see internal IP's xlated to 1.1.1.2/.3./4/.5/.6/.7, etc....
I still just see xlates to 1.1.1.2.
Perhaps the environment has to be busy and we run our of high-end socket ports (1024-65535) before I can see that?
So I am still confused, I dont think global (OUTSIDE) 10 1.1.1.2 netmask 255.255.255.0 tells asa to use all ip's in that class C as global addresses for xlates. it does something else, what is that?
thx,
Will
10-02-2012 03:28 PM
Hello Will,
It does what you are asking:
"netmask 255.255.255.0 tells asa to use all ip's in that class C as global addresses for xlates"
The 'netmask' option at the end of the global statement is only applicable for a global NAT pool, and not global PAT address. When the netmask is specified, the ASA determines what the network and broadcast IPs are, for that network, and if they are included in the global pool, it will not use them.
10-02-2012 03:42 PM
okay, so with a single address configured, ASA must assume its a PAT, rather than a NAT. if I configured a NAT, i would need to do something like:
global (OUTSIDE) 10 1.1.1.2-3 netmask 255.255.255.0
In this case, the logic would say only use .2 and .3, not the whole class C. I think there are several things going on, all of which aren't explained well in the cisco cfg guide:
1) If a single address is configured on a global, then ASA must have internal logic saying always do a PAT.
2) If two or more address configured on a global, then ASA has logi that states do a NAT for this. However, you will run out after just X number IP's. This is not clearly stated in the cfg guide.
3) If you do option 2, and configure a netmask, and the network and broadcast addresses are in your pool, then by virtue of having the netmask there, ASA will exclude those two address from pool if you ahve been too stupid to include them in your pool. For example:
global (OUTSIDE) 10 1.1.1.0-255 netmask 255.255.255.0
is a stupid way to configure, but ASA lets me??? better way is
global (OUTSIDE) 10 1.1.1.1-254 netmask 255.255.255.0
4) As a side note, ASA allows me to put in a netmask command on a global PAT configuration (1 unique IP), but this is in essence not necessary as well, because with 1 IP address in global, ASA will never do NAT, just always does PAT?? So the fact that it lets me put in netmask for single ip is kind of dumb - maybe some type of protection against NAT misconfiguration for just 1 IP?
Does that summarize it?
10-02-2012 03:57 PM
Hello Will,
That's it.
here is the final comment:
If the ASA determines that you have the same amount of IP's on both Nat and Global then it will perform a dedicated translation one ip to one ip if not it will perform a PAT.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide