cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
794
Views
0
Helpful
5
Replies

identity nat question - asa5520

Alex Samad
Level 1
Level 1

Hi

 

I have a class c 1.2.3.0/24 that i have on the internet side of my asa5520

 

currently I use object nat to translate 1.2.3.x to inside addresses like 10.10.24.x

 

I want to route one of these addresses inside now so

 

1.2.3.10 is NAT to 10.10.10.24

1.2.3.11 is to be routed inside via the route table.

 

so can I setup a identity nat (can i do that with object nat ?)

Will this reply to arp request on the outside. So the ASA will arp reply for 1.2.3.10 in the above example will it also arp reply to 1.2.3.11 

 

ta

Alex

 

 

5 Replies 5

Mike Williams
Level 5
Level 5

Hi Alex,

What you are wanting to do is not possible in routed mode. Identity NAT would not work. You would have to assign 1.2.3.11 to a device behind the firewall, but it would not be able to communicate with anything because it won't have a default gateway on the same subnet. Even if you could allocate a block (say a /30) from the class C subnet, the traffic would never get there as it the firewall would think those IPs are on the outside interface.

What you could potentially do, and I would definitely not recommend this, is using a second context in transparent mode and pass that subnet through the transparent context. That configuration would get very confusing and makes supporting the network much more difficult.

May I ask, what is driving the need to have that IP assigned directly to a device behind the firewall?

Regads, 
Mike

Hmm

 

Interesting I already have this setup. I have a /32 on a loop back interface on an internal router/nat box, internally I am using ospf to propogate the route... as its a /32 its on that address that is being routed and not the whole subnet.

 

I am doing my NAT closer to where I need it and not on the outside firewall (asa5520)

 

 

from my reading of the nat stuff on the asa, identity nat will force the ASA to stop looking at any other nat rules and drop down into the routing table.

 

My concern is I don't really have a test bed so was hoping to see if any one has done the same thing.

 

Which bascially is some of the /24 is object nat'ed and some is identity object nat'ed

 

 

 

Remember, the ASA is not a router, and due to built in security features, a lot of the tricks you can use on a router will not work on the ASA. Since it has a /24 assigned to the outside interface, it will not allow a slice of that to be routed to another interface.

Regards,

Mike

Hmm

well currently it is my default gw for a lot of my networks, it used to be the dgw for all, but I am moving internal/core stuff off it.

 

So I agree its not sold as a router, but it definitely does route.

 

So from my reading what I am planning is actually possible, again I could wrong, I will wait and see if any one else can add or untill I get some time to try it.

 

if you check out the nat identity examples they say you can, but they examples don't include object nat and object identity nat

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/nat_overview.html#wp1102289

undery identity NAT, but its not 100% clear for my scenario 

 

thanks for you input

 

EDIT:

 

note the /32 is nothing special, i believe it is CISCO best practise for routerID's... This is assignig a /32 to a loopback address and advertising via a routing protocol

I thought I would follow up just in case there are others out there who would like to do this.

I did find another name for it apart from identity NAT, ... NAT exemption.

 

So basically what I want the ASA to do on an external interface with publicly routable /24

 

So now I have the ASA on 1 interface

*) with ip address assigned to the interface

*) arp replying for Object NAT

*) arp replying for Identity NAT and it is using the routing table not the assign interface ! (this covered it https://supportforums.cisco.com/document/44566/asa-83-nat-exemption-example-basic-l2l-vpn-and-basic-ra-vpn)

the last one allows for some of the range to route internally !

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: