DarkestClown
Technical User
Scenario is we have a ASA firewall.
Im looking at the configs and it is weird and I wanted your opinion about this…
Static (lab, dallas) 10.1.10.10 10.1.10.10 netmask 255.255.255.255
Static (dallas, lab) 10.1.10.10 10.1.10.10 netmask 255.255.255.255
Now if the interface for “lab” has a security of 25 and the interface for “dallas” has a security of 20… why would there be a need of the reverse (lab, dallas) – (dallas, lab) translations?
The syntax, from my understanding, is static (nameif_prenat, nameif_postnat) global_ip local_ip netmask
I understand it as treating it as a inside, outside issue… but why would you ever need (outside, inside) designation? Isnt it all ready implicit that there is a nat 0 statement when you create one but not the reverse?
Also, would there ever be a reason why they would it this way? So for example… using this same scenario… if a device from "lab" wants to create a session with the "dallas" interface… it can with no problem. But, what if "dallas" wants to create interesting traffic into "lab?" Other than having the right acl and xlations in place… do we need to have that “reverse” xlate static statement?
Im looking at the configs and it is weird and I wanted your opinion about this…
Static (lab, dallas) 10.1.10.10 10.1.10.10 netmask 255.255.255.255
Static (dallas, lab) 10.1.10.10 10.1.10.10 netmask 255.255.255.255
Now if the interface for “lab” has a security of 25 and the interface for “dallas” has a security of 20… why would there be a need of the reverse (lab, dallas) – (dallas, lab) translations?
The syntax, from my understanding, is static (nameif_prenat, nameif_postnat) global_ip local_ip netmask
I understand it as treating it as a inside, outside issue… but why would you ever need (outside, inside) designation? Isnt it all ready implicit that there is a nat 0 statement when you create one but not the reverse?
Also, would there ever be a reason why they would it this way? So for example… using this same scenario… if a device from "lab" wants to create a session with the "dallas" interface… it can with no problem. But, what if "dallas" wants to create interesting traffic into "lab?" Other than having the right acl and xlations in place… do we need to have that “reverse” xlate static statement?
