02-11-2008 09:05 PM - edited 03-11-2019 05:01 AM
Hi all
Hope someone here can help me out.
I have a scenario where I have an ASA with 3 interfaces (its actually 8 but I have simplified this to 3).
Outside 192.168.0.250/24
DMZ1 192.168.1.250/24
DMZ2 192.168.2.250/24
All 3 interfaces are privately addressed, and OSPF is running on the outside interface.
The servers in both DMZ1 and DMZ2 are statically NAT'd to the outside interface using a single public subnet (eg 123.123.123.0/24)
What I want to achieve is to have the ASA advertise the external subnet 123.123.123.0/24 into the OSPF process on the outside interface.
I have found that if I add a route for 123.123.123.0/24 to any IP address in DMZ1, then re-distribute that static into OSPF, the other OSPF routers can see the route, which is what I am trying to achieve. I do not have access to the other routers, so advertising them into OSPF is my only option.
So when the ASA receives a packet for 123.123.123.x it un-nats it and if the un-nat'd address is in DMZ1 it works, and if it is in DMZ2, it doesn't work.
Is there any way of doing this as the DMZ devices which use this external range are spread across multiple DMZ interfaces.
Dale
02-12-2008 06:05 AM
Hi,
So if I understand this correctly;
Outside is 192.168.0.254/24
DMZ1 > NAT source IP to 123.123.123.0/24
Are there any ACL's preventing DMZ2 from being visible?
This doc may be helpful;
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
Or, what if DMZ2 was NATed to a different IP range, and that range is advertised into OSPF?
Not sure how helpful this may be...
Cheers
02-13-2008 05:19 PM
ok figured it out with some help from our cisco contact
Allocated the address 123.123.123.1/32 to be reserved for "routing purposes"
### Added the following route so that there is a host route in the routing tables for an address in the /24 subnet ###
route DMZ1 123.123.123.1 255.255.255.255 192.168.1.250
### Redistributed the host route into OSPF ###
access-list REDIS-STATICS-ACL standard permit host 202.43.132.1
route-map REDIS-STATICS permit 10
match ip address REDIS-STATICS-ACL
router ospf 2
redistribute static subnets route-map REDIS-STATICS
### Under the OSPF config, added a summary address ###
router ospf 2
summary-address 202.43.132.0 255.255.255.0
So what this does is redistributes the static host route into OSPF, and because this host route is within the summary-address range, OSPF only advertises the summary address, which is what I was after.
I have to remember that the ASA's are becoming more and more like routers.
Thanks for your suggestion
Dale
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide