asa static command using a network instead of host

ryan80
ryan80 used Ask the Experts™
on
I was looking over the config of an ASA and saw a static command that I am not familiar with what it does:

static (dmz,outside) 10.5.5.0 access-list nonat_dmz

where the access list nonat_dmz permits traffic from the dmz network to all of the remote networks connected through a L2L vpn.

What exactly does this command do?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
all traffic is going from dmz to remote network, it will be source nat'd to 10.5.5.0. so the other side of the vpn tunnel will see traffic coming from 10.5.5.0 network rather than the actual dmz network.
Senior infrastructure engineer
Top Expert 2012
Commented:
This is called policy based source/destination nat.

What happens here is that traffic from the DMZ network is source natted to a 10.5.5.x address but only for the destination(s) defined in the access list.

So lets say the DMZ is 192.168.2.0 and you want to source nat when traffic goes to the remote network 10.4.4.0 then the access list would be:
access-list nonat_dmz permit ip 192.168.2.0 255.255.255.0 10.4.4.0 255.255.255.0
in combination with:
static (dmz,outside) 10.5.5.0 access-list nonat_dmz

This would mean that when traffic from the DMZ to the 10.4.4.0 network will be source natted so that it seems to the 10.4.4.0 network that the traffic came from the 10.5.5.0 network.
Traffic from the DMZ to any other network will still have 192.168.2.0 as source address for the destination network.

Hope I am making sense to you (still a techie, not really a teacher :)
on this ASA, the 10.5.5.0 network is the DMZ network. So basically it should be exempt from NATing when going to the networks defined by the access list?

Also when using this command, it will be a nat with the same address in the host bits? for example lets just say that the DMZ was actually 10.6.6.0. So if traffic coming from 10.6.6.100 was sent to those networks defined in the ACL, they would see the traffic coming from 10.5.5.100? The question being that the .100 would be the same for the originating address and the nat'ed address?
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Yes, both your assumptions are correct :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial