03-25-2014 05:50 PM - edited 03-11-2019 08:59 PM
Hi
I have a class c 1.2.3.0/24 that i have on the internet side of my asa5520
currently I use object nat to translate 1.2.3.x to inside addresses like 10.10.24.x
I want to route one of these addresses inside now so
1.2.3.10 is NAT to 10.10.10.24
1.2.3.11 is to be routed inside via the route table.
so can I setup a identity nat (can i do that with object nat ?)
Will this reply to arp request on the outside. So the ASA will arp reply for 1.2.3.10 in the above example will it also arp reply to 1.2.3.11
ta
Alex
03-25-2014 07:53 PM
Hi Alex,
What you are wanting to do is not possible in routed mode. Identity NAT would not work. You would have to assign 1.2.3.11 to a device behind the firewall, but it would not be able to communicate with anything because it won't have a default gateway on the same subnet. Even if you could allocate a block (say a /30) from the class C subnet, the traffic would never get there as it the firewall would think those IPs are on the outside interface.
What you could potentially do, and I would definitely not recommend this, is using a second context in transparent mode and pass that subnet through the transparent context. That configuration would get very confusing and makes supporting the network much more difficult.
May I ask, what is driving the need to have that IP assigned directly to a device behind the firewall?
Regads,
Mike
03-25-2014 07:58 PM
Hmm
Interesting I already have this setup. I have a /32 on a loop back interface on an internal router/nat box, internally I am using ospf to propogate the route... as its a /32 its on that address that is being routed and not the whole subnet.
I am doing my NAT closer to where I need it and not on the outside firewall (asa5520)
from my reading of the nat stuff on the asa, identity nat will force the ASA to stop looking at any other nat rules and drop down into the routing table.
My concern is I don't really have a test bed so was hoping to see if any one has done the same thing.
Which bascially is some of the /24 is object nat'ed and some is identity object nat'ed
03-25-2014 08:39 PM
Remember, the ASA is not a router, and due to built in security features, a lot of the tricks you can use on a router will not work on the ASA. Since it has a /24 assigned to the outside interface, it will not allow a slice of that to be routed to another interface.
Regards,
Mike
03-25-2014 08:50 PM
Hmm
well currently it is my default gw for a lot of my networks, it used to be the dgw for all, but I am moving internal/core stuff off it.
So I agree its not sold as a router, but it definitely does route.
So from my reading what I am planning is actually possible, again I could wrong, I will wait and see if any one else can add or untill I get some time to try it.
if you check out the nat identity examples they say you can, but they examples don't include object nat and object identity nat
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/nat_overview.html#wp1102289
undery identity NAT, but its not 100% clear for my scenario
thanks for you input
EDIT:
note the /32 is nothing special, i believe it is CISCO best practise for routerID's... This is assignig a /32 to a loopback address and advertising via a routing protocol
04-05-2014 04:05 AM
I thought I would follow up just in case there are others out there who would like to do this.
I did find another name for it apart from identity NAT, ... NAT exemption.
So basically what I want the ASA to do on an external interface with publicly routable /24
So now I have the ASA on 1 interface
*) with ip address assigned to the interface
*) arp replying for Object NAT
*) arp replying for Identity NAT and it is using the routing table not the assign interface ! (this covered it https://supportforums.cisco.com/document/44566/asa-83-nat-exemption-example-basic-l2l-vpn-and-basic-ra-vpn)
the last one allows for some of the range to route internally !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide