cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4404
Views
15
Helpful
7
Replies

Using OSPF in ASA to advertise NAT Pools.

pavlosd
Level 2
Level 2

We are about to configure NAT on a Client's ASA Firewalls and we need some examples on how to go about configuring ospf for external (outside) interface that will advertise NATed addresses (or NAT Pools) and how to configure the ospf for internal networks (only with private addreses).

Assume a simple example where A is internal Router with Private Networks and RouterG that is a outside public Router with BGP that advertises default route to ASA. ASA translates private addresses to public addresses using NAT/Global.

RouterA-----in-ASA-out----RouterG

7 Replies 7

andrew.prince
Level 10
Level 10

AFAIK - You cannot re-distribute a NAT pool, as it is not a connected interface, or route.

HTH>

ktwaddell
Level 1
Level 1

Why would you want to advertise the NAT pool out?

Jon Marshall
Hall of Fame
Hall of Fame

Pavlos

I'm assuming you want to advertise out the NAT pool so that remote devices know how to route to it ? Therefore i'm assuming also that this is not just standard ISP public addressing because if it is the ISP will take care of advertising the addressing and routing it to you.

With a router you could just create a loopback and run OSPF on that but the ASA doesn't support loopbacks so the best thing to do is

1) create a static route for the NAT pool

2) redistribute this static route into OSPF

As for the internal OSPF, just set it up as you would normally - here is a link to OSPF config on the ASA -

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html

Obviously you need to be careful that your internal networks don't get advertised to RouterG and external to RouterA.

Jon

Also I think if you add the reverse-route command to the dynamic crypto map and do a redistribute static that will also work, because with the reverse-route added the pools or at least a host in the pool show up as a static route in the routing table.

asagage00
Level 1
Level 1

How exactly do you add a static route on an ASA for a NAT pool?  For example...

Inside: 192.168.0.1/24

Outside: 192.168.1.1/24

NAT Pool: 192.168.2.0/24

I want to redistribute the static route for 192.168.2.0/24 into OSPF or EIGRP, but it is not associated with any particular interface so it will not be advertised as is.

On a router I would normally create a route like this...

ip route 192.168.2.0 255.255.255.0 null0

On the ASA I have to specify an interface and gateway IP.  What would this look like?

Hi

Any News on the Topic? I am interested in an answer as well.

I used to create a static route pointing to the outside interface but that ist not working anymore because of some recently added checks befor einserting the route. ASA complains about the fact that the next hop is the asa itself.

kind regards

Tobias

leandroecomp
Level 1
Level 1

Add a static route to Nat Pool:
ciscoasa(config)# route Null0 A.B.C.D X.X.X.X 1

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: