Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA - Advertising NAT addresses into OSPF

Hi all

Hope someone here can help me out.

I have a scenario where I have an ASA with 3 interfaces (its actually 8 but I have simplified this to 3).




All 3 interfaces are privately addressed, and OSPF is running on the outside interface.

The servers in both DMZ1 and DMZ2 are statically NAT'd to the outside interface using a single public subnet (eg

What I want to achieve is to have the ASA advertise the external subnet into the OSPF process on the outside interface.

I have found that if I add a route for to any IP address in DMZ1, then re-distribute that static into OSPF, the other OSPF routers can see the route, which is what I am trying to achieve. I do not have access to the other routers, so advertising them into OSPF is my only option.

So when the ASA receives a packet for 123.123.123.x it un-nats it and if the un-nat'd address is in DMZ1 it works, and if it is in DMZ2, it doesn't work.

Is there any way of doing this as the DMZ devices which use this external range are spread across multiple DMZ interfaces.


New Member

Re: ASA - Advertising NAT addresses into OSPF


So if I understand this correctly;

Outside is

DMZ1 > NAT source IP to

Are there any ACL's preventing DMZ2 from being visible?

This doc may be helpful;

Or, what if DMZ2 was NATed to a different IP range, and that range is advertised into OSPF?

Not sure how helpful this may be...


New Member

Re: ASA - Advertising NAT addresses into OSPF

ok figured it out with some help from our cisco contact

Allocated the address to be reserved for "routing purposes"

### Added the following route so that there is a host route in the routing tables for an address in the /24 subnet ###

route DMZ1

### Redistributed the host route into OSPF ###

access-list REDIS-STATICS-ACL standard permit host

route-map REDIS-STATICS permit 10

match ip address REDIS-STATICS-ACL

router ospf 2

redistribute static subnets route-map REDIS-STATICS

### Under the OSPF config, added a summary address ###

router ospf 2


So what this does is redistributes the static host route into OSPF, and because this host route is within the summary-address range, OSPF only advertises the summary address, which is what I was after.

I have to remember that the ASA's are becoming more and more like routers.

Thanks for your suggestion