ASA - Advertising NAT addresses into OSPF

Unanswered Question
Feb 11th, 2008

Hi all

Hope someone here can help me out.

I have a scenario where I have an ASA with 3 interfaces (its actually 8 but I have simplified this to 3).

Outside 192.168.0.250/24

DMZ1 192.168.1.250/24

DMZ2 192.168.2.250/24

All 3 interfaces are privately addressed, and OSPF is running on the outside interface.

The servers in both DMZ1 and DMZ2 are statically NAT'd to the outside interface using a single public subnet (eg 123.123.123.0/24)

What I want to achieve is to have the ASA advertise the external subnet 123.123.123.0/24 into the OSPF process on the outside interface.

I have found that if I add a route for 123.123.123.0/24 to any IP address in DMZ1, then re-distribute that static into OSPF, the other OSPF routers can see the route, which is what I am trying to achieve. I do not have access to the other routers, so advertising them into OSPF is my only option.

So when the ASA receives a packet for 123.123.123.x it un-nats it and if the un-nat'd address is in DMZ1 it works, and if it is in DMZ2, it doesn't work.

Is there any way of doing this as the DMZ devices which use this external range are spread across multiple DMZ interfaces.

Dale

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
manufc Tue, 02/12/2008 - 06:05

Hi,

So if I understand this correctly;

Outside is 192.168.0.254/24

DMZ1 > NAT source IP to 123.123.123.0/24

Are there any ACL's preventing DMZ2 from being visible?

This doc may be helpful;

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Or, what if DMZ2 was NATed to a different IP range, and that range is advertised into OSPF?

Not sure how helpful this may be...

Cheers

dcoghlan Wed, 02/13/2008 - 17:19

ok figured it out with some help from our cisco contact

Allocated the address 123.123.123.1/32 to be reserved for "routing purposes"

### Added the following route so that there is a host route in the routing tables for an address in the /24 subnet ###

route DMZ1 123.123.123.1 255.255.255.255 192.168.1.250

### Redistributed the host route into OSPF ###

access-list REDIS-STATICS-ACL standard permit host 202.43.132.1

route-map REDIS-STATICS permit 10

match ip address REDIS-STATICS-ACL

router ospf 2

redistribute static subnets route-map REDIS-STATICS

### Under the OSPF config, added a summary address ###

router ospf 2

summary-address 202.43.132.0 255.255.255.0

So what this does is redistributes the static host route into OSPF, and because this host route is within the summary-address range, OSPF only advertises the summary address, which is what I was after.

I have to remember that the ASA's are becoming more and more like routers.

Thanks for your suggestion

Dale

Actions

This Discussion