Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4711
Views
15
Helpful
7
Replies

Using OSPF in ASA to advertise NAT Pools.

pavlosd
Level 2
Level 2

‎09-01-2009 08:30 PM - edited ‎03-11-2019 09:11 AM

We are about to configure NAT on a Client's ASA Firewalls and we need some examples on how to go about configuring ospf for external (outside) interface that will advertise NATed addresses (or NAT Pools) and how to configure the ospf for internal networks (only with private addreses).

Assume a simple example where A is internal Router with Private Networks and RouterG that is a outside public Router with BGP that advertises default route to ASA. ASA translates private addresses to public addresses using NAT/Global.

RouterA-----in-ASA-out----RouterG

Labels:
0 Helpful
7 Replies 7

andrew.prince
Level 10
Level 10

‎09-02-2009 01:37 AM

AFAIK - You cannot re-distribute a NAT pool, as it is not a connected interface, or route.

HTH>

0 Helpful

ktwaddell
Level 1
Level 1

‎09-02-2009 02:42 AM

Why would you want to advertise the NAT pool out?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎09-02-2009 02:55 AM

Pavlos

I'm assuming you want to advertise out the NAT pool so that remote devices know how to route to it ? Therefore i'm assuming also that this is not just standard ISP public addressing because if it is the ISP will take care of advertising the addressing and routing it to you.

With a router you could just create a loopback and run OSPF on that but the ASA doesn't support loopbacks so the best thing to do is

1) create a static route for the NAT pool

2) redistribute this static route into OSPF

As for the internal OSPF, just set it up as you would normally - here is a link to OSPF config on the ASA -

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html

Obviously you need to be careful that your internal networks don't get advertised to RouterG and external to RouterA.

Jon

kwillacey
Level 3
Level 3
In response to Jon Marshall

‎09-02-2009 06:36 AM

Also I think if you add the reverse-route command to the dynamic crypto map and do a redistribute static that will also work, because with the reverse-route added the pools or at least a host in the pool show up as a static route in the routing table.

0 Helpful

asagage00
Level 1
Level 1

‎06-23-2010 12:43 PM

How exactly do you add a static route on an ASA for a NAT pool?  For example...

Inside: 192.168.0.1/24

Outside: 192.168.1.1/24

NAT Pool: 192.168.2.0/24

I want to redistribute the static route for 192.168.2.0/24 into OSPF or EIGRP, but it is not associated with any particular interface so it will not be advertised as is.

On a router I would normally create a route like this...

ip route 192.168.2.0 255.255.255.0 null0

On the ASA I have to specify an interface and gateway IP.  What would this look like?

Tobias Hilbert
Level 1
Level 1
In response to asagage00

‎08-11-2012 12:11 PM

Hi

Any News on the Topic? I am interested in an answer as well.

I used to create a static route pointing to the outside interface but that ist not working anymore because of some recently added checks befor einserting the route. ASA complains about the fact that the next hop is the asa itself.

kind regards

Tobias

0 Helpful

leandroecomp
Level 1
Level 1

‎06-15-2018 08:11 PM - edited ‎06-15-2018 08:14 PM

Add a static route to Nat Pool:
ciscoasa(config)# route Null0 A.B.C.D X.X.X.X 1

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card