11-15-2013 12:57 AM - edited 03-04-2019 09:35 PM
The Cisco ASA basically has a /19 public address space for it's disposal. While changing from static routes to OSPF it became apparent that only subnets configured on interfaces are distributed over OSPF. The effect is that those addresses used for 1:1 NAT is that the routers in front of the ASA doesn't have a route to it.
Since the ASA doesn't support null interface, I can't create a null route to have it redistributed in the ospf process. The only work-around I have been able to come up with is using static routes on the routers for these networks, but if doing so and simulating that the internal nic on the router is down then it has no way of reaching there, albeit it's neighbor router, reachable over an interface for iBGP knows how to get there.
I'm thinking I might be able to setup the 1:1 NAT addresses (limited to that of two /24) on interfaces on the ASA. it would definitely have the routes inserted into ospf, but I'm unsure if that will break NAT.
Changing from internal addresses with 1:1 nat to public addresses is not really an option, until all other options have been considered due to the sheer amount of work that would need to be done.
Solved! Go to Solution.
11-15-2013 02:05 AM
Hi,
You used to be able to create a static route for the NAT pool on the ASA with a next-hop IP addess of the ASA's outside interface, this could then be redistributed into the IGP. I think recent ASA code has prevented this behaviour as it detects that the next-hop IP address is its local interface.
You could try configuring reliable static routing on the edge routers so that in the event that the inside interface is down, or the outside interface of the ASA no longer responds to ICMP, the static route is removed and a floating static route with a higher AD is installed pointing to the second edge router
11-15-2013 02:05 AM
Hi,
You used to be able to create a static route for the NAT pool on the ASA with a next-hop IP addess of the ASA's outside interface, this could then be redistributed into the IGP. I think recent ASA code has prevented this behaviour as it detects that the next-hop IP address is its local interface.
You could try configuring reliable static routing on the edge routers so that in the event that the inside interface is down, or the outside interface of the ASA no longer responds to ICMP, the static route is removed and a floating static route with a higher AD is installed pointing to the second edge router
11-29-2013 01:17 AM
This is precisely what I did already, and it does seem to do the trick well!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide