cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
450
Views
0
Helpful
2
Replies
Highlighted
Beginner

Cisco ASA distribute IPs not held by interface into OSPF

The Cisco ASA basically has a /19 public address space for it's disposal. While changing from static routes to OSPF it became apparent that only subnets configured on interfaces are distributed over OSPF. The effect is that those addresses used for 1:1 NAT is that the routers in front of the ASA doesn't have a route to it.

Since the ASA doesn't support null interface, I can't create a null route to have it redistributed in the ospf process. The only work-around I have been able to come up with is using static routes on the routers for these networks, but if doing so and simulating that the internal nic on the router is down then it has no way of reaching there, albeit it's neighbor router, reachable over an interface for iBGP knows how to get there.

I'm thinking I might be able to setup the 1:1 NAT addresses (limited to that of two /24) on interfaces on the ASA. it would definitely have the routes inserted into ospf, but I'm unsure if that will break NAT.

Changing from internal addresses with 1:1 nat to public addresses is not really an option, until all other options have been considered due to the sheer amount of work that would need to be done.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Participant

Cisco ASA distribute IPs not held by interface into OSPF

Hi,

You used to be able to create a static route for the NAT pool on the ASA with a next-hop IP addess of the ASA's outside interface, this could then be redistributed into the IGP. I think recent ASA code has prevented this behaviour as it detects that the next-hop IP address is its local interface.

You could try configuring reliable static routing on the edge routers so that in the event that the inside interface is down, or the outside interface of the ASA no longer responds to ICMP, the static route is removed and a floating static route with a higher AD is installed pointing to the second edge router

View solution in original post

2 REPLIES 2
Highlighted
Participant

Cisco ASA distribute IPs not held by interface into OSPF

Hi,

You used to be able to create a static route for the NAT pool on the ASA with a next-hop IP addess of the ASA's outside interface, this could then be redistributed into the IGP. I think recent ASA code has prevented this behaviour as it detects that the next-hop IP address is its local interface.

You could try configuring reliable static routing on the edge routers so that in the event that the inside interface is down, or the outside interface of the ASA no longer responds to ICMP, the static route is removed and a floating static route with a higher AD is installed pointing to the second edge router

View solution in original post

Beginner

Cisco ASA distribute IPs not held by interface into OSPF

This is precisely what I did already, and it does seem to do the trick well!