topic Should I use static route toward to null0 if I using dynamic PAT in this scenario？ in Network Security

Should I use static route toward to null0 if I using dynamic PAT in this scenario？

Hele Du — Tue, 12 Mar 2019 06:55:45 GMT

Hi All,

Could anyone can resolve my confusing?

I am considering the dynamic PAT, if the PAT addresses isn`t in a same subnets as outside interface address in ASA , I must advertise a static route which toward to ASA on upstream router, right?

In general, if the client on outside access the PAT addresses occasionally. The upstream router will forward package to ASA. If there is a default route on ASA , also ASA don`t have a connection , then the ASA will forward package backto upstream router. This will cause a package TLL expiration. There will cause a potentially issue if attacker try to attacking these PAT addresses.

Should I use the static route with null0 to aviod the loop between upstream router and ASA ?

Hi,

Vibhor Amrodia — Sun, 22 Nov 2015 07:31:34 GMT

Hi,

In this case you need to check two things:-

1) Enable "

arp permit-nonconnected on the ASA device

If you are running 8.4.5 and above

2) The easiest way would be to add the ARP for this IP on the router or static route and that should resolve this issue.

Note:- Refer to this article for more information:-

https://supportforums.cisco.com/blog/149276

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor,

Hele Du — Mon, 23 Nov 2015 13:07:59 GMT

Hi Vibhor,

Thank you for you responding.

Actually, the upstream router has advertised a static route which toward to ASA outside interface.

I think the upstream router will forward the package to ASA.

What does the ASA will doing if it has receive a package not in explicit routing table but have a PAT configuration ?

Hi Hele,

Akshay Rastogi — Sat, 28 Nov 2015 16:37:09 GMT

Hi Hele,

It would drop the packet as it is a Dynamic PAt(unidirectional). It would not send the packet back to Upstream router because that Destination IP is configured as PAT on ASA and ASA need to forward the traffic to the internal device(to whomsoever it concern). However as it is a Dynamic PAT/Unidirectional, it would drop it.

Hope it answers your query.

Regards,

Akshay Rastogi

Remember to rate the helpful posts.

Hi Akshay,

Hele Du — Mon, 30 Nov 2015 02:29:41 GMT

Hi Akshay, Thank you for your answer. This scenario will cause a package loop issue in other vendor， so we must set a static route toward null0. It is great for ASA, thanks again.

Hi Hele,

Akshay Rastogi — Mon, 30 Nov 2015 05:13:17 GMT

Hi Hele,

If a traffic is initiated form Outside host for Address which is dynamically natted on ASA, ASA would always drop the packet. If the destination ip is configured as mapped ip in static NAT statement, then atleast ASA would not send it back to your Router. It would send it to concerned real IP.

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli#MULTIPLE-SUBNETS

If the ISP has for example configure a new public subnet as a "secondary" network on their gateway interface AND you are using 8.4(3) software you will run into problems with connectivity of the hosts in the "secondary" network range. This is because of changes to ARP related behaviour. Basically the ASA will not populate ARP table with nonconnected networks.

(this would also hold your scenario as well if the mapped ip is not in the same subnet as your outside interface ip).

Your solution is either to ask the ISP to route the new subnet directly towards the ASA "outside" interface IP address OR you will have to upgrade the ASA to 8.4(4/5) software level and use the configuration command "arp permit-nonconnected"

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.