06-07-2012 01:50 PM - edited 03-11-2019 04:16 PM
I am looking for help on a mixture of Routing and Switching and Firewalling ...
So I have a router connected to the ISP ... the router is also connected to a switch. Into that switch I have pugged two ASAs. A 5505 and 5520.
I was given a /27 (255.255.255.224), 30 address block from the ISP. Let's say the last octet of the router is .1, the ASA#1 is .2, and ASA #2 is .3.
Now I wan't to use the rest of the addresses for Static NAT (the IP addresses are publically registered to their own domain names).
Can I use any of the rest of the addresses .4 through .30, on either ASA in Static NAT (1 to 1 translation)? Possibly even move them back and forth between ASAs?
How does the router know which as ASA it needs to forward the packet to if it is destined for .12 for example? Does the ASA send out an ARP message for each of its static addresses that it is using? They packets aren't broadcast to the subnet, are they?
Or is this a Layer 3 problem. Do I have to segment my /27 into two /28's on my router (requiring an additional interface and use of another IP address)?
I was trying to debate if I could possibly model this in GNS3.
PS the reason for doing this is for dissaster recovery, moving servers between racks without changing IP address scheme (the private addressing scheme behind each ASA is identical), etc.
Thanks so much for the help,
Matt
CCNP, CCDP, CCIP, ASA Specialist
Solved! Go to Solution.
06-07-2012 07:23 PM
Can I use any of the rest of the addresses .4 through .30, on either ASA in Static NAT (1 to 1 translation)? Possibly even move them back and forth between ASAs?
--> YES you can
How does the router know which as ASA it needs to forward the packet to if it is destined for .12 for example? Does the ASA send out an ARP message for each of its static addresses that it is using? They packets aren't broadcast to the subnet, are they?
--> YES, the ASA will send out an ARP to tell the router that it has that particular static address
Or is this a Layer 3 problem. Do I have to segment my /27 into two /28's on my router (requiring an additional interface and use of another IP address)?
--> NO, you don't have to segment the /27 into /28
06-07-2012 07:23 PM
Can I use any of the rest of the addresses .4 through .30, on either ASA in Static NAT (1 to 1 translation)? Possibly even move them back and forth between ASAs?
--> YES you can
How does the router know which as ASA it needs to forward the packet to if it is destined for .12 for example? Does the ASA send out an ARP message for each of its static addresses that it is using? They packets aren't broadcast to the subnet, are they?
--> YES, the ASA will send out an ARP to tell the router that it has that particular static address
Or is this a Layer 3 problem. Do I have to segment my /27 into two /28's on my router (requiring an additional interface and use of another IP address)?
--> NO, you don't have to segment the /27 into /28
06-08-2012 08:16 AM
Thanks Jennifer,
That is exactly what I was looking for.
We figured out while we had partially disabled the Static NAT addresses we were translating, we had not fully disabled them on the first of the two ASAs. So when we tried to the use them on the second, the switch still thought the first had the address (since it did). The minute we fully disabled it, the CAM table updated ... and whalla, it began working correctly on the second ASA.
It is good to know Static NAT resolves via ARP. I had a hard time finding any good documentation on Static NAT ARP resolution. Does such a thing exsist? Maybe it is just in the RFC.
THANKS AGAIN!
06-08-2012 08:24 AM
Good to know all is working. Thanks for the update.
Here is what you are looking for
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517975
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide