ASA NAT Q - IPs NATd DONT LIVE ON INTERFACE SUBNET??? Please explain.

Answered Question
May 21st, 2008

I am working on a customers ASA 5540 right now. On the outside interface they have they are NAT'ing IP addresses that do not belong to the same subnet as the outside interface, they are mapping them to inside addresses.


Ie, outside interface is 172.16.0.1/16 but they have NAT entries for 172.31.0.1-250/16 on the outside interface mapped to inside hosts. The router outside the ASA points all traffic destined for 172.0.0.0/8 to the ASA outside interface as it's next hop for those subnets.


Obviously those addresses are replacements but the concept remains.


The solution works but what I would like to know is this supported supported/advised by Cisco and could someone point to a document that references this kind of setup for me to read. I'm not looking for a document explaining NAT but specifically NAT'ing addresses that don't belong to that interfaces subnet.


Many thanks!!!!!


Ian


Correct Answer by scottcraig about 8 years 9 months ago

As long as the IP's are usable it shouldn't matter. The reason it is so common to see people only use IP's that exist on the external subnet is because that is often the only usable (public) IP's they CAN use. Otherwise if you have multiple subnets that are routable by your provider OR the firewall is entirely internal, there is no reason to not NAT to whatever you want - assuming your routing is correct and other devices know to send to the firewall for those addresses. The router speaking to the firewall doesn't know whether the subnet in question is 50 hops away or only exists on the firewall. The return packets look the same when received by that router - source and destination are correct and Ethernet header is sent to the router's MAC. I don't think it necessarily advised or not advised - it is how NAT works as long as it is set up properly. However, it sends off red flags for many people because it is uncommon to see.


Make sense?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
scottcraig Wed, 05/21/2008 - 11:29

As long as the IP's are usable it shouldn't matter. The reason it is so common to see people only use IP's that exist on the external subnet is because that is often the only usable (public) IP's they CAN use. Otherwise if you have multiple subnets that are routable by your provider OR the firewall is entirely internal, there is no reason to not NAT to whatever you want - assuming your routing is correct and other devices know to send to the firewall for those addresses. The router speaking to the firewall doesn't know whether the subnet in question is 50 hops away or only exists on the firewall. The return packets look the same when received by that router - source and destination are correct and Ethernet header is sent to the router's MAC. I don't think it necessarily advised or not advised - it is how NAT works as long as it is set up properly. However, it sends off red flags for many people because it is uncommon to see.


Make sense?

Jon Marshall Wed, 05/21/2008 - 23:14

Ian


Just to add to Scott's explanation. I don't know if there is a document that actually details what you are asking but we have used this type of configuration many times and never once has there been a suggestion from Cisco that it is an unsupported configuration.


As Scott says, as long as the subnet is routed to the outside interface of your ASA it will work fine.


Jon

ians_2503 Thu, 05/22/2008 - 00:54

Thanks guys, I've never come across it before and just wasn't sure if it was the norm. I understand how it works, proxy arp etc but wasn't 100% sure if it was the "done thing".


Many thanks.


Ian

Actions

This Discussion