Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
461
Views
4
Helpful
4
Replies

Static rules and Dynamic rules for the same networks

Kevin Melton
Level 2
Level 2

‎11-03-2009 12:52 PM - edited ‎03-11-2019 09:35 AM

i am working at a customer site whom has an ASA appliance on either side of their DMZ. The inside perimeter ASA is first in the path from the inside networks into the dmz. Then you cross the outside perimeter ASA to get to the Internet.

The inside perimeter ASA has an interesting configuration. I see static statements for networks (ex. static (inside,outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0) and then they also have (ex. global (outside) 1 172.16.1.4-

nat (inside) 1 192.168.5.0 255.255.255.0

Is this not redundant? Wont the static statement always override the dynamic global/nat combo? Is it safe to delete the dynamic NAT translations that are already represented on the ASA by static statements?

Thanks

Kevin

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎11-03-2009 01:00 PM

Kevin

Yes i agree, the dynamic statement should be redundant. You could have both if you were doing policy NAT but if there are no acls attached to NAT statements then the statics should override the dynamic NAT.

Easiest way to check though is to look at the xlate table to see if there any of the dynamic translations in the table ie.

sh xlate

or

sh running config xlate

Jon

Kevin Melton
Level 2
Level 2
In response to Jon Marshall

‎11-03-2009 01:13 PM

check it out Jon

bhiasaip# sho xlate

15 in use, 188 most used

Global 206.248.224.1 Local 206.248.224.1

Global 192.168.10.0 Local 192.168.10.0

Global 192.168.11.0 Local 192.168.11.0

Global 10.20.0.0 Local 10.20.0.0

Global 192.168.3.0 Local 192.168.3.0

Global 192.168.12.0 Local 192.168.12.0

Global 192.168.6.0 Local 192.168.6.0

Global 192.168.14.0 Local 192.168.14.0

Global 192.168.4.0 Local 192.168.4.0

Global 172.16.1.0 Local 172.16.1.0

Global 172.16.1.5 Local 192.168.5.15

Global 192.168.50.0 Local 192.168.50.0

Global 192.168.5.0 Local 192.168.5.0

Global 198.100.100.0 Local 198.100.100.0

bhiasaip# sho xlate det

15 in use, 188 most used

Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,

r - portmap, s - static

NAT from inside:206.248.224.1 to outside:206.248.224.1 flags s

NAT from inside:192.168.10.0 to outside:192.168.10.0 flags s

NAT from inside:192.168.11.0 to outside:192.168.11.0 flags s

NAT from inside:10.20.0.0 to outside:10.20.0.0 flags s

NAT from inside:192.168.3.0 to outside:192.168.3.0 flags s

NAT from inside:192.168.12.0 to outside:192.168.12.0 flags s

NAT from inside:192.168.6.0 to outside:192.168.6.0 flags s

NAT from inside:192.168.14.0 to outside:192.168.14.0 flags s

NAT from inside:192.168.4.0 to outside:192.168.4.0 flags s

NAT from inside:172.16.1.0 to outside:172.16.1.0 flags s

NAT from inside:192.168.5.15 to outside:172.16.1.5 flags s

NAT from inside:192.168.50.0 to outside:192.168.50.0 flags s

NAT from inside:192.168.5.0 to outside:192.168.5.0 flags s

NAT from inside:198.100.100.0 to outside:198.100.100.0 flags s

bhiasaip#

Looks like they are all static. I am really wary about removing the NAT pools and something breaking however...

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Kevin Melton

‎11-03-2009 01:20 PM

Kevin

"Looks like they are all static. I am really wary about removing the NAT pools and something breaking however..."

hmmm, not so sure ie.

Global 172.16.1.5 Local 192.168.5.15

what version of ASA software are you using ?

I wouldn't remove it based on the output above. Can ypou post the exact NAT statements off the ASA ?

Jon

0 Helpful

Kevin Melton
Level 2
Level 2
In response to Jon Marshall

‎11-04-2009 07:13 AM

We are running 8.2.1.

Here are the NAT's

nat (inside) 1 172.16.1.0 255.255.255.0

nat (inside) 1 192.168.3.0 255.255.255.0

nat (inside) 1 192.168.5.0 255.255.255.0

nat (inside) 1 192.168.6.0 255.255.255.0

nat (inside) 1 192.168.8.0 255.255.255.0

nat (inside) 1 192.168.10.0 255.255.255.0

nat (inside) 1 192.168.11.0 255.255.255.0

nat (inside) 1 192.168.12.0 255.255.255.0

nat (inside) 1 192.168.14.0 255.255.255.0

nat (inside) 1 192.168.15.0 255.255.255.0

nat (inside) 1 198.100.100.0 255.255.255.0

Here are the statics

static (inside,outside) 206.248.224.1 206.248.224.1 netmask 255.255.255.255

static (inside,outside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

static (inside,outside) 192.168.11.0 192.168.11.0 netmask 255.255.255.0

static (inside,outside) 10.20.0.0 10.20.0.0 netmask 255.255.248.0

static (inside,outside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (inside,outside) 192.168.12.0 192.168.12.0 netmask 255.255.255.0

static (inside,outside) 192.168.6.0 192.168.6.0 netmask 255.255.255.0

static (inside,outside) 192.168.14.0 192.168.14.0 netmask 255.255.255.0

static (inside,outside) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (inside,outside) 172.16.1.5 192.168.5.15 netmask 255.255.255.255

static (inside,outside) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (inside,outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

static (inside,outside) 198.100.100.0 198.100.100.0 netmask 255.255.255.0

thanks for your help on this.

Kevin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card