Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
916
Views
0
Helpful
4
Replies

ASA advertise dynamic and static NAT?

MARK BAKER
Level 4
Level 4

‎10-21-2014 06:25 PM - edited ‎03-11-2019 09:58 PM

I've been trying to find a way to have an ASA advertise static and dynamic NAT through a dynamic routing protocol without luck. There appeared to be a way to use static routes along with NAT to do it with 8.2 and earlier, but I don't think that works anymore. I am setting up ASA clustering, so proxy-arp is no longer an option.

The goal is to have the ability to configure NAT on a tenant ASA context (self-service long term goal) and have it advertised into a dynamic routing protocol without any other configuration like creating a static route each time you configure a NAT mapping. The tenant contexts would have an outside interface on a shared public IP subnet that is different than the public NAT IPs that can be used by any of the tenants. Pre-allocating NAT IPs to each tenant and pre-routing the range would be wasteful as we don't know how many IPs each tenant would require now or in the future.

Since the ASA can't do proxy-arp while clustering in individual-interface mode at least, it would be nice to be able to inject mapped IPs into a dynamic routing protocol like can be done with the 'add-route' keyword on IOS devices. Does anyone know if this is on the road map for the ASA?

Thank you,

Mark

1 person had this problem
Labels:
0 Helpful
4 Replies 4

bshellrude
Level 1
Level 1

‎03-09-2018 07:29 AM

Did you ever find a way to do this?

0 Helpful

Florin Barhala
Level 6
Level 6
In response to bshellrude

‎03-12-2018 08:03 AM

Probably not, although I am not sure what he was actually chasing here.

He did mention the old 8.2 way and IOS way, but neither had "dynamic routing "support for NAT. 

So what is actually the request here?

0 Helpful

bshellrude
Level 1
Level 1
In response to Florin Barhala

‎03-13-2018 09:41 AM

@Florin Barhala

Here's a post I made with a similar question (before I found this post).

 

https://supportforums.cisco.com/t5/vpn/asa-s2s-transition-to-new-cluster-with-dynamic-nat-address/m-p/3345332#M121326

 

Basically, we're moving from an old cluster to a new cluster. For us, I'd like to dynamically advertise each individual S2S NAT space as they tunnels come up so that more specific routes can take precedence and we don't have to make manual routing changes as the end points re-configure their connections.

 

 

0 Helpful

Florin Barhala
Level 6
Level 6
In response to bshellrude

‎03-14-2018 04:57 AM

I am aiming to P level on Security as we speak, but I don't think what you need is possible on the ASA.

 

Had you use VTIs - that's another story, but on the old policy mode that ASA employs for VPNs, I see no ideas. 

What I can think is EEM but the effort for creating the script might get close to just migrating one tunnel at a time.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card