Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
801
Views
0
Helpful
5
Replies

Should I use static route toward to null0 if I using dynamic PAT in this scenario?

Go to solution
Hele Du
Level 1
Level 1

‎11-21-2015 09:05 AM - edited ‎03-11-2019 11:55 PM

Hi All,

Could anyone can resolve my confusing?

I am considering the dynamic PAT, if the PAT addresses isn`t in a same subnets as outside interface address in ASA , I must advertise a static route which toward to ASA on upstream router, right?

In general, if the client on outside access the PAT addresses occasionally. The upstream router will forward package to ASA. If there is a default route on ASA , also ASA don`t have a connection , then the ASA will forward package backto upstream router. This will cause a package TLL expiration. There will cause a potentially issue if attacker try to attacking these PAT addresses.

Should I use the static route with null0 to aviod the loop between upstream router and ASA ?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎11-21-2015 11:31 PM

Hi,

In this case you need to check two things:-

1) Enable "

arp permit-nonconnected on the ASA device

If you are running 8.4.5 and above

2) The easiest way would be to add the ARP for this IP on the router or static route and that should resolve this issue.

Note:- Refer to this article for more information:-

https://supportforums.cisco.com/blog/149276

Thanks and Regards,

Vibhor Amrodia

View solution in original post

0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to Hele Du

‎11-28-2015 08:37 AM

Hi Hele,

It would drop the packet as it is a Dynamic PAt(unidirectional). It would not send the packet back to Upstream router because that Destination IP is configured as PAT on ASA and ASA need to forward the traffic to the internal device(to whomsoever it concern). However as it is a Dynamic PAT/Unidirectional, it would drop it.

Hope it answers your query.

Regards,

Akshay Rastogi

Remember to rate the helpful posts.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎11-21-2015 11:31 PM

Hi,

In this case you need to check two things:-

1) Enable "

arp permit-nonconnected on the ASA device

If you are running 8.4.5 and above

2) The easiest way would be to add the ARP for this IP on the router or static route and that should resolve this issue.

Note:- Refer to this article for more information:-

https://supportforums.cisco.com/blog/149276

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
Hele Du
Level 1
Level 1
In response to Vibhor Amrodia

‎11-23-2015 05:07 AM

Hi Vibhor,

Thank you for you responding.

Actually, the upstream router has advertised a static route which toward to ASA outside interface.

I think the upstream router will forward the package to ASA.

What does the ASA will doing if it has receive a package not in explicit routing table but have a PAT configuration ?

0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to Hele Du

‎11-28-2015 08:37 AM

Hi Hele,

It would drop the packet as it is a Dynamic PAt(unidirectional). It would not send the packet back to Upstream router because that Destination IP is configured as PAT on ASA and ASA need to forward the traffic to the internal device(to whomsoever it concern). However as it is a Dynamic PAT/Unidirectional, it would drop it.

Hope it answers your query.

Regards,

Akshay Rastogi

Remember to rate the helpful posts.

0 Helpful

Go to solution
Hele Du
Level 1
Level 1
In response to Akshay Rastogi

‎11-29-2015 06:29 PM

Hi Akshay, Thank you for your answer. This scenario will cause a package loop issue in other vendor, so we must set a static route toward null0. It is great for ASA, thanks again.
0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to Hele Du

‎11-29-2015 09:13 PM

Hi Hele,

If a traffic is initiated form Outside host for Address which is dynamically natted on ASA, ASA would always drop the packet. If the destination ip is configured as mapped ip in static NAT statement, then atleast ASA would not send it back to your Router. It would send it to concerned real IP.

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli#MULTIPLE-SUBNETS

If the ISP  has for example configure a new public subnet as a "secondary" network  on their gateway interface AND you are using 8.4(3) software you will  run into problems with connectivity of the hosts in the "secondary"  network range. This is because of changes to ARP related behaviour.  Basically the ASA will not populate ARP table with nonconnected  networks.

(this would also hold your scenario as well if the mapped ip is not in the same subnet as your outside interface ip).

Your solution is either to ask the ISP to  route the new subnet directly towards the ASA "outside" interface IP  address OR you will have to upgrade the ASA to 8.4(4/5) software level  and use the configuration command "arp permit-nonconnected"

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card