Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2108
Views
0
Helpful
2
Replies

ASA - Advertising NAT addresses into OSPF

dcoghlan
Level 1
Level 1

‎02-11-2008 09:05 PM - edited ‎03-11-2019 05:01 AM

Hi all

Hope someone here can help me out.

I have a scenario where I have an ASA with 3 interfaces (its actually 8 but I have simplified this to 3).

Outside 192.168.0.250/24

DMZ1 192.168.1.250/24

DMZ2 192.168.2.250/24

All 3 interfaces are privately addressed, and OSPF is running on the outside interface.

The servers in both DMZ1 and DMZ2 are statically NAT'd to the outside interface using a single public subnet (eg 123.123.123.0/24)

What I want to achieve is to have the ASA advertise the external subnet 123.123.123.0/24 into the OSPF process on the outside interface.

I have found that if I add a route for 123.123.123.0/24 to any IP address in DMZ1, then re-distribute that static into OSPF, the other OSPF routers can see the route, which is what I am trying to achieve. I do not have access to the other routers, so advertising them into OSPF is my only option.

So when the ASA receives a packet for 123.123.123.x it un-nats it and if the un-nat'd address is in DMZ1 it works, and if it is in DMZ2, it doesn't work.

Is there any way of doing this as the DMZ devices which use this external range are spread across multiple DMZ interfaces.

Dale

Labels:
0 Helpful
2 Replies 2

manufc
Level 1
Level 1

‎02-12-2008 06:05 AM

Hi,

So if I understand this correctly;

Outside is 192.168.0.254/24

DMZ1 > NAT source IP to 123.123.123.0/24

Are there any ACL's preventing DMZ2 from being visible?

This doc may be helpful;

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Or, what if DMZ2 was NATed to a different IP range, and that range is advertised into OSPF?

Not sure how helpful this may be...

Cheers

0 Helpful

dcoghlan
Level 1
Level 1
In response to manufc

‎02-13-2008 05:19 PM

ok figured it out with some help from our cisco contact

Allocated the address 123.123.123.1/32 to be reserved for "routing purposes"

### Added the following route so that there is a host route in the routing tables for an address in the /24 subnet ###

route DMZ1 123.123.123.1 255.255.255.255 192.168.1.250

### Redistributed the host route into OSPF ###

access-list REDIS-STATICS-ACL standard permit host 202.43.132.1

route-map REDIS-STATICS permit 10

match ip address REDIS-STATICS-ACL

router ospf 2

redistribute static subnets route-map REDIS-STATICS

### Under the OSPF config, added a summary address ###

router ospf 2

summary-address 202.43.132.0 255.255.255.0

So what this does is redistributes the static host route into OSPF, and because this host route is within the summary-address range, OSPF only advertises the summary address, which is what I was after.

I have to remember that the ASA's are becoming more and more like routers.

Thanks for your suggestion

Dale

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card