I have a scenario where I have an ASA with 3 interfaces (its actually 8 but I have simplified this to 3).
All 3 interfaces are privately addressed, and OSPF is running on the outside interface.
The servers in both DMZ1 and DMZ2 are statically NAT'd to the outside interface using a single public subnet (eg 126.96.36.199/24)
What I want to achieve is to have the ASA advertise the external subnet 188.8.131.52/24 into the OSPF process on the outside interface.
I have found that if I add a route for 184.108.40.206/24 to any IP address in DMZ1, then re-distribute that static into OSPF, the other OSPF routers can see the route, which is what I am trying to achieve. I do not have access to the other routers, so advertising them into OSPF is my only option.
So when the ASA receives a packet for 123.123.123.x it un-nats it and if the un-nat'd address is in DMZ1 it works, and if it is in DMZ2, it doesn't work.
Is there any way of doing this as the DMZ devices which use this external range are spread across multiple DMZ interfaces.
### Under the OSPF config, added a summary address ###
router ospf 2
summary-address 220.127.116.11 255.255.255.0
So what this does is redistributes the static host route into OSPF, and because this host route is within the summary-address range, OSPF only advertises the summary address, which is what I was after.
I have to remember that the ASA's are becoming more and more like routers.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...