cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2676
Views
5
Helpful
13
Replies

ASA NAT for non interface ips

cisco8887
Level 2
Level 2

Hi Guys,

ISP has give us two subnets which are 1.1.1.0/28 and 2.2.2.0/28 .

they are configured on the isp router

our asa is connected to the isp router using an intermidiate switch on range of 1.1.1 with its ip being .2 and isp .1

I know the asa can nat and accept connections to 1.1.1.3 to 14 even though they are  not assigned to any interface.

can it do this for ips not within its subnet such as 2.2.2.0?

in another words what i need to do to get ASA to work on single interface with two ips without trunkig

how do ISPs usually do this?

Many thanks

1 Accepted Solution

Accepted Solutions

It depends on how this subnet is configured by the ISP.

  1. If the 2.2.2.0/28 is routed to your ASA address, then you don't have to do anything on the ASA. Just use the additional addresses in your NAT-stements.
  2. If the ISP has configured this additional subnet  as secondary addresses on his router, then you need to "allow" the ASA to use this network before the NAT-statements will work:
asa(config)# arp permit-nonconnected

View solution in original post

13 Replies 13

It depends on how this subnet is configured by the ISP.

  1. If the 2.2.2.0/28 is routed to your ASA address, then you don't have to do anything on the ASA. Just use the additional addresses in your NAT-stements.
  2. If the ISP has configured this additional subnet  as secondary addresses on his router, then you need to "allow" the ASA to use this network before the NAT-statements will work:
asa(config)# arp permit-nonconnected

many thanks I thought that would be the case as sonicwall allows specific subnet to be passed through

so I can do something like nat (outside,inside ) 2.2.2.3 192.168.1.1 ?

and regarding the secod case, I don't quite get the difference. Can you elaborate please?

The ISP has assigned the two range with DG in each range so suggesting all routing is done on the router but I am interested to know what is the other model which involves ASA doing routing .

Would ASA act as arp proxy eventhough the ip isn't assigned to an interface by typing the command you suggested ?

> so I can do something like nat (outside,inside ) 2.2.2.3 192.168.1.1 ?

Yes, but that's not the way the ASA is "thinking". In general NAT is seen as a source-NAT function. With that, your NAT would look like the following:

object network SERVER
 host 192.168.1.1
 nat (inside,outside) static 2.2.2.3

The difference between these two options is indeed how the ASA handles ARP:

  • If the second Network is routed to the ASA, then there will be no ARP for the IP addresses in the new subnet. The ISP-router knows that all this traffic has to be forwarded to the ASA. The only ARP involved is for your ASA-address. The downside of this option is that the addresses of this new subnet can only be used by the ASA. You can't assign a single IP to a different device on the transfer network.
  • If the provider configures the network as secondary addresses
    interface gig 0/0
     description Link to Customer
     ip address 1.1.1.1 255.255.255.240
     ip address 2.2.2.1 255.255.255.240 secondary
    then the ISP-router needs to arp for every single address that is used. And that won't work by default on the ASA with recent versions.

very interesting so ASA always sees the source nat ( internal source ) as important object and nat based on that ?

If all traffic was to be routed to ASA, would isp achieve this by a static route to asa? I think this will work as it is not seen as locally connected !

regarding secondary ip, why wouldn't this work ? ISP arps and asa responds after the command you suggested is inputted

> If all traffic was to be routed to ASA, would isp achieve this by a static route to asa?
> I think this will work as it is not seen as locally connected !

right, the ISP-router just needs a static route to your ASA.

> regarding secondary ip, why wouldn't this work ? ISP arps and asa responds after the > command you suggested is inputted

Yes, it will work (and is a quite common setup), but not by default. If you miss the mentioned command it won't.

brilliant

another question

if one has three subnets from the isp on ethernet 0/0

how is that possible?

if using the method of primary and secondary ip on ISP router then you have two ranges

how do you configure the third range ?

if not using the option of secondary ip, how could an ISP assign three ranges to a single interface all of them having a defualt gateway ?

Can you confirm my thoughts on how the packet flow will be is correct ,

from internet a packet is sent to 2.2.2.5 which is received the ISP router. ISP router communicates with the ASA using 1.1.1.1 ( ISP) and 1.1.1.2(ASA). The packet is routed and sent to the ASA on 1.1.1.2 with destination address of 2.2.2.5

ASA sees the nat table and forwards it

reverse is

packet received by asa, ASA changes the soruce ip to 2.2.2.5 and forward to 1.1.1.1 . ISP router receives it and do the routing from there

You can configure multiple secondary addresses on one interface.

The mentioned packet-flow is correct for the scenario where the ISP routes that new subnet to the customer. BTW: It doesn't have to be NAT that uses the new network. The customer could also route it to somewhere else in his network or use it as a DMZ with public IP addresses. That is sometimes needed for example for some videoconference equipment that behaves oddly with NAT.

got you

in that case it will be something like

nat (dmz,outside ) 2.2.2.3 2.2.2.3

No, it's even easier. If you have public addresses on a DMZ, then you just don't configure any nat rule for the that interface. If there is no nat-rule, then the ASA will route that traffic. With a higher security-leven on the DMZ, you still need access-control configured on the outside interface.

hmm so how does ASA know about it , static route ?

configured on an interface or a static route if the network is behind an extra L3-switch or router. But that's not specific to the ASA. That's purely how a Layer3 device operates.

I know i am asking too many questions and you are paitent :)

I am a very detailed person hence why trying to understand

what said makes sense now but when you say configured on an interface I believe this is not possible as the ASA interface and DMZ machine will have a same ip.This is if I understood you correctly.

I know one can do PBR on 9.3 and higher so that is a possibility

Review Cisco Networking for a $25 gift card