cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
423
Views
5
Helpful
4
Replies

NAT and NONAT configuration on ASA

jroy777
Level 1
Level 1

Would this be a legitimate Nat statement on the ASA if I have a router in parallel with the ASA on the same inside subnet? (router also has an IP from "outside" subnet). It is in parallel to take VPN load off ASA.

nat (inside,inside) 1 source static inside-AMZ-VPN inside-AMZ-VPN destination static obj-amzn-10.24.0.0s13 obj-amzn-10.24.0.0s13 no-proxy-arp description NONAT

I can trace from ASA and it routes to router. If I trace from a host on inside, it goes to ASA (which is default GW for all hosts on inside network) but then continues out outside interface.

4 Replies 4

you need to partition the Inside Host to two subnet 
one will use router and other will use ASA. 
that the only way 
also keep aware from asymmetric traffic, if the traffic out from router and return in from asa, asa can drop traffic.

Is it impossible to run ASA in parallel with router with same inside and outside? What is the whole purpose or ARP if it cannot figure this out.

 

I will run lab and check. 

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Have you considered configuring NAT inbound? Place the VPN pool as nat inside and the router LAN interface as nat outside ? All VPN traffic will appear to originate from the router LAN interface.

You could also move the router to an Layer3 interface off the firewall. The firewall would forward encrypted VPN traffic to the router. Use either static or dynamic routing between the router and firewall so that clear traffic between the VPN pool and LAN could be correctly routed.

I would need to be tested but you could also configure proxy-arp on the router LAN interface. The router would need to have a route for the VPN pool addresses for this to work.

 

cheers,

Seb.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: