Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
0
Helpful
2
Replies

ASA NAT when not on interface network

Go to solution
PAUL TRIVINO
Level 3
Level 3

‎03-13-2014 09:24 PM - edited ‎03-11-2019 08:56 PM

We are trying to restructure our edge network.  The ASA with NATs is currently on a natural /24, as is its upstream router.  We are trying to change the ASA and router to reside on a /28 that is part of the existing /24.  In so doing we have added routes to the router to send traffic for the NAT range to the ASA's new 'outside' IP:

Router IP:   10.10.10.226/28, HSRP IP 10.10.10.225

ASA IP:       10.10.10.228/28 stby 10.10.10.229

ip route 10.10.10.0 255.255.255.128 10.10.10.228 250 (High AD so as not to interfere with BGP later)

ip route 10.10.10.128 255.255.255.192 10.10.10.228 250 (High AD so as not to interfere with BGP later)

ASA NATs:  10.10.10.11-.135

From the ASA configured this way, we can ping the router IP fine.

One thing we thought of after backing this out (it didn't work) is to change our statics to route to the *interface* instead of the actual ASA IP, but I don't know if that will work either.

 

Should either of these methods work?

Thanks - Paul

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-14-2014 05:50 AM

Paul

One thing we thought of after backing this out (it didn't work) is to change our statics to route to the *interface* instead of the actual ASA IP, but I don't know if that will work either.

Not sure i understand the above statement but in terms of what you originally tried then it should work as the ASA often handles IPs that are not assigned to an interface in terms of NAT.

Difficult to say why it didn't work. It is always a good idea to clear existing xlates and arp caches etc. but you may have done that anyway.

What exactly didn't work ?

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-14-2014 05:50 AM

Paul

One thing we thought of after backing this out (it didn't work) is to change our statics to route to the *interface* instead of the actual ASA IP, but I don't know if that will work either.

Not sure i understand the above statement but in terms of what you originally tried then it should work as the ASA often handles IPs that are not assigned to an interface in terms of NAT.

Difficult to say why it didn't work. It is always a good idea to clear existing xlates and arp caches etc. but you may have done that anyway.

What exactly didn't work ?

Jon

0 Helpful

Go to solution
PAUL TRIVINO
Level 3
Level 3
In response to Jon Marshall

‎03-14-2014 02:44 PM

Jon, we could ping from the ASA to the router IP and v.v., but could not ping from the router to any of the NAT IPs.  We have a similar setup in another data center but the firewall there is not an ASA and so I'm not sure the same things will work (but as you say I can't think of why it would not work).

I am setting up a parallel system in which to test.  Thanks for the response.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card