Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASA NAT when not on interface network

We are trying to restructure our edge network.  The ASA with NATs is currently on a natural /24, as is its upstream router.  We are trying to change the ASA and router to reside on a /28 that is part of the existing /24.  In so doing we have added routes to the router to send traffic for the NAT range to the ASA's new 'outside' IP:

Router IP:   10.10.10.226/28, HSRP IP 10.10.10.225

ASA IP:       10.10.10.228/28 stby 10.10.10.229

ip route 10.10.10.0 255.255.255.128 10.10.10.228 250 (High AD so as not to interfere with BGP later)

ip route 10.10.10.128 255.255.255.192 10.10.10.228 250 (High AD so as not to interfere with BGP later)

ASA NATs:  10.10.10.11-.135

From the ASA configured this way, we can ping the router IP fine.

One thing we thought of after backing this out (it didn't work) is to change our statics to route to the *interface* instead of the actual ASA IP, but I don't know if that will work either.

 

Should either of these methods work?

Thanks - Paul

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

PaulOne thing we thought of

Paul

One thing we thought of after backing this out (it didn't work) is to change our statics to route to the *interface* instead of the actual ASA IP, but I don't know if that will work either.

Not sure i understand the above statement but in terms of what you originally tried then it should work as the ASA often handles IPs that are not assigned to an interface in terms of NAT.

Difficult to say why it didn't work. It is always a good idea to clear existing xlates and arp caches etc. but you may have done that anyway.

What exactly didn't work ?

Jon

2 REPLIES
Hall of Fame Super Blue

PaulOne thing we thought of

Paul

One thing we thought of after backing this out (it didn't work) is to change our statics to route to the *interface* instead of the actual ASA IP, but I don't know if that will work either.

Not sure i understand the above statement but in terms of what you originally tried then it should work as the ASA often handles IPs that are not assigned to an interface in terms of NAT.

Difficult to say why it didn't work. It is always a good idea to clear existing xlates and arp caches etc. but you may have done that anyway.

What exactly didn't work ?

Jon

Jon, we could ping from the

Jon, we could ping from the ASA to the router IP and v.v., but could not ping from the router to any of the NAT IPs.  We have a similar setup in another data center but the firewall there is not an ASA and so I'm not sure the same things will work (but as you say I can't think of why it would not work).

I am setting up a parallel system in which to test.  Thanks for the response.

56
Views
0
Helpful
2
Replies
CreatePlease login to create content