Using OSPF in ASA to advertise NAT Pools.

Unanswered Question
Sep 1st, 2009
User Badges:

We are about to configure NAT on a Client's ASA Firewalls and we need some examples on how to go about configuring ospf for external (outside) interface that will advertise NATed addresses (or NAT Pools) and how to configure the ospf for internal networks (only with private addreses).


Assume a simple example where A is internal Router with Private Networks and RouterG that is a outside public Router with BGP that advertises default route to ASA. ASA translates private addresses to public addresses using NAT/Global.


RouterA-----in-ASA-out----RouterG


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ktwaddell Wed, 09/02/2009 - 02:42
User Badges:

Why would you want to advertise the NAT pool out?

Jon Marshall Wed, 09/02/2009 - 02:55
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Pavlos


I'm assuming you want to advertise out the NAT pool so that remote devices know how to route to it ? Therefore i'm assuming also that this is not just standard ISP public addressing because if it is the ISP will take care of advertising the addressing and routing it to you.


With a router you could just create a loopback and run OSPF on that but the ASA doesn't support loopbacks so the best thing to do is


1) create a static route for the NAT pool

2) redistribute this static route into OSPF


As for the internal OSPF, just set it up as you would normally - here is a link to OSPF config on the ASA -


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html


Obviously you need to be careful that your internal networks don't get advertised to RouterG and external to RouterA.


Jon


kwillacey Wed, 09/02/2009 - 06:36
User Badges:
  • Bronze, 100 points or more

Also I think if you add the reverse-route command to the dynamic crypto map and do a redistribute static that will also work, because with the reverse-route added the pools or at least a host in the pool show up as a static route in the routing table.

asagage00 Wed, 06/23/2010 - 12:43
User Badges:

How exactly do you add a static route on an ASA for a NAT pool?  For example...


Inside: 192.168.0.1/24

Outside: 192.168.1.1/24

NAT Pool: 192.168.2.0/24


I want to redistribute the static route for 192.168.2.0/24 into OSPF or EIGRP, but it is not associated with any particular interface so it will not be advertised as is.


On a router I would normally create a route like this...

ip route 192.168.2.0 255.255.255.0 null0


On the ASA I have to specify an interface and gateway IP.  What would this look like?

Tobias Hilbert Sat, 08/11/2012 - 12:11
User Badges:

Hi


Any News on the Topic? I am interested in an answer as well.


I used to create a static route pointing to the outside interface but that ist not working anymore because of some recently added checks befor einserting the route. ASA complains about the fact that the next hop is the asa itself.


kind regards

Tobias

Actions

This Discussion