So, I just transfered to a NETSEC position and have to wade through a lot of stuff I know little about - I am reading a lot and looking at ASA configs, but something is really puzzling me.

I have an ASA 5510 with 3 VLANS and an outside interface, which I get. What I don't get is this static NAT config:

static (VLAN2,VLAN3_DMZ) 10.152.97.8 10.152.97.8 netmask 255.255.255.255

VLAN2 is sec20 and VLAN3_DMZ is sec40

What is accomplished/gained by this ??

Thanks in advance!

Typically static NAT statements are written to allow inbound access to a particular device from a lower security interface to a higher security interface. However, they can be used to establish any one-to-one NAT you want, this would be a good example.

Think of a static in the following formula static (real_interface,mapped_interface) mapped_IP real_IP. With that in mind, we can pick apart the NAT statement you've got like this:

The interface on which the real host resides: VLAN2
The interface which holds the mapped address: VLAN3_DMZ
The real IP of the host: 10.152.97.8
The mapped IP of the host: 10.152.97.8

As you can see the mapped IP and the real IP are the same, which makes this what's called an identity NAT; in other words, a way of letting traffic pass through the ASA un-NATed, but since the ASA has a strong desire to NAT all traffic, a configuration change must be made to allow it, enter identity NAT. So what this particular NAT statement does is presents 10.152.97.8 to the VLAN3_DMZ interface by the same IP address. There are a number of reasons somebody would do something like this, and they're all very specific to the particular configuration at hand. If you can't figure out why, go ahead and post the whole config and I'll see if I can point out why it's necessary.