Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1023
Views
0
Helpful
3
Replies

Advertising Pulic subnets that will be use by NAT using OSPF

rdotson
Level 1
Level 1

‎05-28-2013 01:11 PM - edited ‎03-11-2019 06:50 PM

ASA 5585-x10, ver 9.1

I have about 10 public subnets that will be used for NAT translation on the ouside interface.  These subnets are different from the subnet the outside interface.

Is there a way to advertise these routes using OSPF from the ASA? 

I tried to redistribute a static route, but can't make the destination router an interface that is on the ASA.

I  don't own or control the upstream router.

2 people had this problem
Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎05-28-2013 11:02 PM

Hello,

I think I received one query from one customer just like this some time ago...

He was running another version but the point was the same,

The thing is that in order to use the network command you must have an interface with the IP address in place but in this case we do not have it.

If U use a redistribute command making reference to a static route it would not make sense because were would U pointing to anyway,

So I would not know about a way to advertise a pool of IP addresses not being used by a specific interface or host.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

MARK BAKER
Level 4
Level 4

‎10-21-2014 04:34 PM

Rdotson,

Did you ever find the answer to this question? I see the below from 8.2 and earlier, but haven't been able to find the same wording for 8.3 and newer. I am going to be setting up ASA clustering which doesn't support proxy-arp, so I am hoping this still applies for 8.3 and newer.

Addresses on a unique network.

If you need more addresses than are available on the mapped interface network, you can identify addresses on a different subnet. The ASA uses proxy ARP to answer any requests for mapped addresses, and thus intercepts traffic destined for a real address. If you use OSPF, and you advertise routes on the mapped interface, then the ASA advertises the mapped addresses. If the mapped interface is passive (not advertising routes) or you are using static routing, then you need to add a static route on the upstream router that sends traffic destined for the mapped addresses to the ASA.

 

0 Helpful

MARK BAKER
Level 4
Level 4
In response to MARK BAKER

‎10-21-2014 04:57 PM

I found this paragraph on a different document. It has a little more information than the first one I posted and sounds like what some were doing prior to version 8.3 that doesn't work anymore.

Addresses on a unique network.

If you need more addresses than are available on the mapped interface network, you can identify addresses on a different subnet. The ASA uses proxy ARP to answer any requests for mapped addresses, and thus it intercepts traffic destined for a real address. If you use OSPF to advertise mapped IP addresses that belong to a different subnet from the mapped interface, you need to create a static route to the mapped addresses that are destined to the mapped interface IP, and then redistribute this static route in OSPF. If the mapped interface is passive (not advertising routes) or you are using static routing, then you need to add a static route on the upstream router that sends traffic destined for the mapped addresses to the ASA.

 

The first paragraph I listed made it sound like it was automatic. This one shows that you have to redistribute static routes and it doesn't appear this works with 8.3 and newer.

 

Sorry for continuing an old thread, but poor cisco documentation has gotten me once again in the reason weeks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card