topic Public Pool, 2 ASAs, Static NAT ... in Network Security

Public Pool, 2 ASAs, Static NAT ...

msunderland78 — Mon, 11 Mar 2019 23:16:39 GMT

I am looking for help on a mixture of Routing and Switching and Firewalling ...

So I have a router connected to the ISP ... the router is also connected to a switch. Into that switch I have pugged two ASAs. A 5505 and 5520.

I was given a /27 (255.255.255.224), 30 address block from the ISP. Let's say the last octet of the router is .1, the ASA#1 is .2, and ASA #2 is .3.

Now I wan't to use the rest of the addresses for Static NAT (the IP addresses are publically registered to their own domain names).

Can I use any of the rest of the addresses .4 through .30, on either ASA in Static NAT (1 to 1 translation)? Possibly even move them back and forth between ASAs?

How does the router know which as ASA it needs to forward the packet to if it is destined for .12 for example? Does the ASA send out an ARP message for each of its static addresses that it is using? They packets aren't broadcast to the subnet, are they?

Or is this a Layer 3 problem. Do I have to segment my /27 into two /28's on my router (requiring an additional interface and use of another IP address)?

I was trying to debate if I could possibly model this in GNS3.

PS the reason for doing this is for dissaster recovery, moving servers between racks without changing IP address scheme (the private addressing scheme behind each ASA is identical), etc.

Thanks so much for the help,

Matt

CCNP, CCDP, CCIP, ASA Specialist

Public Pool, 2 ASAs, Static NAT ...

Jennifer Halim — Fri, 08 Jun 2012 02:23:51 GMT

Can I use any of the rest of the addresses .4 through .30, on either ASA in Static NAT (1 to 1 translation)? Possibly even move them back and forth between ASAs?

--> YES you can

--> YES, the ASA will send out an ARP to tell the router that it has that particular static address

Or is this a Layer 3 problem. Do I have to segment my /27 into two /28's on my router (requiring an additional interface and use of another IP address)?

--> NO, you don't have to segment the /27 into /28

Public Pool, 2 ASAs, Static NAT ...

msunderland78 — Fri, 08 Jun 2012 15:16:55 GMT

Thanks Jennifer,

That is exactly what I was looking for.

We figured out while we had partially disabled the Static NAT addresses we were translating, we had not fully disabled them on the first of the two ASAs. So when we tried to the use them on the second, the switch still thought the first had the address (since it did). The minute we fully disabled it, the CAM table updated ... and whalla, it began working correctly on the second ASA.

It is good to know Static NAT resolves via ARP. I had a hard time finding any good documentation on Static NAT ARP resolution. Does such a thing exsist? Maybe it is just in the RFC.

THANKS AGAIN!

Public Pool, 2 ASAs, Static NAT ...

Jennifer Halim — Fri, 08 Jun 2012 15:24:00 GMT

Good to know all is working. Thanks for the update.

Here is what you are looking for

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517975