Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
588
Views
5
Helpful
4
Replies

Question about netmask in 8.2 CLI ASA config

Go to solution
adityan404
Level 1
Level 1

‎04-19-2016 05:14 PM - edited ‎03-12-2019 12:38 AM

Hello,

I am having trouble understanding what the netmask in this particular global statement does. Is it dynamic NAT or just PAT? In other words, will the ASA translate the real ip addresses ( which is a network object group in this ACE, by the way) dynamically to the 6.0.0.0 subnet or is there an error in the rule and it should be netmask 255.255.255.255?

global (outside) 1 6.5.100.21 netmask 255.0.0.0
nat (outside) 1 access-list nat_outbound outside
Would really appreciate any help. 
Thanks,
Adi
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to adityan404

‎04-22-2016 10:39 AM

Without having indepth knowledge of your network and the exact subnet assigned to your outside network, I would say that this is a misconfiguration.  

Right now your inside_nat_outbound access-list is being NATed to the 6.0.0.0/8 network.  This is quite uncommon in my experience and usually only 1 public IP is needed for NAT.  If the whole /8 network is available to you then this is a big waste of addresses in my opinion.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎04-21-2016 02:04 AM

Based on the outside IP configuration of the ASA, would 6.5.100.21 be a reasonable address?  If so, probably a typo.

Otherwise this ASA could only be used between internal networks where one network happened to use public IP addresses - internally.

Go to solution
adityan404
Level 1
Level 1
In response to Philip D'Ath

‎04-22-2016 07:26 AM

Well, the outside interface ip address falls in the 12.3.0.0 subnet. These are the relevant NAT statements.

global (outside) 1 6.5.x.x netmask 255.0.0.0

global (inside) 1 10.75.x.x netmask 255.255.255.255

nat (outside) 1 access-list outside_nat_outbound_1 outside (I had a typo in my question)

nat (inside) 1 access-list inside_nat_outbound

access-list outside_nat_outbound_1 extended permit ip "ipaddrA" 255.255.255.0 object-group objA

access-list outside_nat_outbound extended permit ip "ipaddrB" 255.255.255.0 object-group objA

Would you be able to explain the NAT rule action for the global(outside) statement?

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to adityan404

‎04-22-2016 10:39 AM

Without having indepth knowledge of your network and the exact subnet assigned to your outside network, I would say that this is a misconfiguration.  

Right now your inside_nat_outbound access-list is being NATed to the 6.0.0.0/8 network.  This is quite uncommon in my experience and usually only 1 public IP is needed for NAT.  If the whole /8 network is available to you then this is a big waste of addresses in my opinion.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
adityan404
Level 1
Level 1
In response to Marius Gunnerud

‎04-22-2016 11:29 AM

Thank you for your input. I think so too that this must be an error in the configuration but wanted to double-check anyways.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card