https://community.cisco.com/t5/network-security/asa-nat-when-not-on-interface-network/m-p/2447550#M268315 <P>We are trying to restructure our edge network. &nbsp;The ASA with NATs is currently on a natural /24, as is its upstream router. &nbsp;We are trying to change the ASA and router to reside on a /28 that is part of the existing /24. &nbsp;In so doing we have added routes to the router to send traffic for the NAT range to the ASA's new 'outside' IP:</P><P>Router IP: &nbsp; 10.10.10.226/28, HSRP IP 10.10.10.225</P><P>ASA IP: &nbsp; &nbsp; &nbsp; 10.10.10.228/28 stby 10.10.10.229</P><P>ip route 10.10.10.0 255.255.255.128 10.10.10.228 250 (High AD so as not to interfere with BGP later)</P><P>ip route 10.10.10.128 255.255.255.192 10.10.10.228 250 (High AD so as not to interfere with BGP later)</P><P>ASA NATs: &nbsp;10.10.10.11-.135</P><P>From the ASA configured this way, we can ping the router IP fine.</P><P>One thing we thought of after backing this out (it didn't work) is to change our statics to route to the *interface* instead of the actual ASA IP, but I don't know if that will work either.</P><P>&nbsp;</P><P>Should either of these methods work?</P><P>Thanks - Paul</P> Tue, 12 Mar 2019 03:56:41 GMT PAUL TRIVINO 2019-03-12T03:56:41Z https://community.cisco.com/t5/network-security/asa-nat-when-not-on-interface-network/m-p/2447550#M268315 <P>We are trying to restructure our edge network. &nbsp;The ASA with NATs is currently on a natural /24, as is its upstream router. &nbsp;We are trying to change the ASA and router to reside on a /28 that is part of the existing /24. &nbsp;In so doing we have added routes to the router to send traffic for the NAT range to the ASA's new 'outside' IP:</P><P>Router IP: &nbsp; 10.10.10.226/28, HSRP IP 10.10.10.225</P><P>ASA IP: &nbsp; &nbsp; &nbsp; 10.10.10.228/28 stby 10.10.10.229</P><P>ip route 10.10.10.0 255.255.255.128 10.10.10.228 250 (High AD so as not to interfere with BGP later)</P><P>ip route 10.10.10.128 255.255.255.192 10.10.10.228 250 (High AD so as not to interfere with BGP later)</P><P>ASA NATs: &nbsp;10.10.10.11-.135</P><P>From the ASA configured this way, we can ping the router IP fine.</P><P>One thing we thought of after backing this out (it didn't work) is to change our statics to route to the *interface* instead of the actual ASA IP, but I don't know if that will work either.</P><P>&nbsp;</P><P>Should either of these methods work?</P><P>Thanks - Paul</P> Tue, 12 Mar 2019 03:56:41 GMT https://community.cisco.com/t5/network-security/asa-nat-when-not-on-interface-network/m-p/2447550#M268315 PAUL TRIVINO 2019-03-12T03:56:41Z https://community.cisco.com/t5/network-security/asa-nat-when-not-on-interface-network/m-p/2447551#M268320 <P>Paul</P><P><EM>One thing we thought of after backing this out (it didn't work) is to change our statics to route to the *interface* instead of the actual ASA IP, but I don't know if that will work either</EM>.</P><P>Not sure i understand the above statement but in terms of what you originally tried then it should work as the ASA often handles IPs that are not assigned to an interface in terms of NAT.</P><P>Difficult to say why it didn't work. It is always a good idea to clear existing xlates and arp caches etc. but you may have done that anyway.</P><P>What exactly didn't work ?</P><P>Jon</P> Fri, 14 Mar 2014 12:50:52 GMT https://community.cisco.com/t5/network-security/asa-nat-when-not-on-interface-network/m-p/2447551#M268320 Jon Marshall 2014-03-14T12:50:52Z https://community.cisco.com/t5/network-security/asa-nat-when-not-on-interface-network/m-p/2447552#M268324 <P>Jon, we could ping from the ASA to the router IP and v.v., but could not ping from the router to any of the NAT IPs. &nbsp;We have a similar setup in another data center but the firewall there is not an ASA and so I'm not sure the same things will work (but as you say I can't think of why it would not work).</P><P>I am setting up a parallel system in which to test. &nbsp;Thanks for the response.</P> Fri, 14 Mar 2014 21:44:42 GMT https://community.cisco.com/t5/network-security/asa-nat-when-not-on-interface-network/m-p/2447552#M268324 PAUL TRIVINO 2014-03-14T21:44:42Z