cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
801
Views
0
Helpful
5
Replies

Should I use static route toward to null0 if I using dynamic PAT in this scenario?

Hele Du
Level 1
Level 1

Hi All,

Could anyone can resolve my confusing?

I am considering the dynamic PAT, if the PAT addresses isn`t in a same subnets as outside interface address in ASA , I must advertise a static route which toward to ASA on upstream router, right?

In general, if the client on outside access the PAT addresses occasionally. The upstream router will forward package to ASA. If there is a default route on ASA , also ASA don`t have a connection , then the ASA will forward package backto upstream router. This will cause a package TLL expiration. There will cause a potentially issue if attacker try to attacking these PAT addresses.

Should I use the static route with null0 to aviod the loop between upstream router and ASA ?

2 Accepted Solutions

Accepted Solutions

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

In this case you need to check two things:-

1) Enable "

arp permit-nonconnected on the ASA device

If you are running 8.4.5 and above

2) The easiest way would be to add the ARP for this IP on the router or static route and that should resolve this issue.

Note:- Refer to this article for more information:-

https://supportforums.cisco.com/blog/149276

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Hi Hele,

It would drop the packet as it is a Dynamic PAt(unidirectional). It would not send the packet back to Upstream router because that Destination IP is configured as PAT on ASA and ASA need to forward the traffic to the internal device(to whomsoever it concern). However as it is a Dynamic PAT/Unidirectional, it would drop it.

Hope it answers your query.

Regards,

Akshay Rastogi

Remember to rate the helpful posts.

View solution in original post

5 Replies 5

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

In this case you need to check two things:-

1) Enable "

arp permit-nonconnected on the ASA device

If you are running 8.4.5 and above

2) The easiest way would be to add the ARP for this IP on the router or static route and that should resolve this issue.

Note:- Refer to this article for more information:-

https://supportforums.cisco.com/blog/149276

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor,

Thank you for you responding.

Actually, the upstream router has advertised a static route which toward to ASA outside interface.

I think the upstream router will forward the package to ASA.

What does the ASA will doing if it has receive a package not in explicit routing table but have a PAT configuration ?

Hi Hele,

It would drop the packet as it is a Dynamic PAt(unidirectional). It would not send the packet back to Upstream router because that Destination IP is configured as PAT on ASA and ASA need to forward the traffic to the internal device(to whomsoever it concern). However as it is a Dynamic PAT/Unidirectional, it would drop it.

Hope it answers your query.

Regards,

Akshay Rastogi

Remember to rate the helpful posts.

Hi Akshay, Thank you for your answer. This scenario will cause a package loop issue in other vendor, so we must set a static route toward null0. It is great for ASA, thanks again.

Hi Hele,

If a traffic is initiated form Outside host for Address which is dynamically natted on ASA, ASA would always drop the packet. If the destination ip is configured as mapped ip in static NAT statement, then atleast ASA would not send it back to your Router. It would send it to concerned real IP.

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli#MULTIPLE-SUBNETS

If the ISP  has for example configure a new public subnet as a "secondary" network  on their gateway interface AND you are using 8.4(3) software you will  run into problems with connectivity of the hosts in the "secondary"  network range. This is because of changes to ARP related behaviour.  Basically the ASA will not populate ARP table with nonconnected  networks.

(this would also hold your scenario as well if the mapped ip is not in the same subnet as your outside interface ip).

Your solution is either to ask the ISP to  route the new subnet directly towards the ASA "outside" interface IP  address OR you will have to upgrade the ASA to 8.4(4/5) software level  and use the configuration command "arp permit-nonconnected"

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Review Cisco Networking for a $25 gift card