Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
3
Replies

Public Pool, 2 ASAs, Static NAT ...

Go to solution
msunderland78
Level 1
Level 1

‎06-07-2012 01:50 PM - edited ‎03-11-2019 04:16 PM

I am looking for help on a mixture of Routing and Switching and Firewalling ...

So I have a router connected to the ISP ... the router is also connected to a switch.  Into that switch I have pugged two ASAs.  A 5505 and 5520.

I was given a /27 (255.255.255.224), 30 address block from the ISP.  Let's say the last octet of the router is .1, the ASA#1 is .2, and ASA #2 is .3.

Now I wan't to use the rest of the addresses for Static NAT (the IP addresses are publically registered to their own domain names).

Can I use any of the rest of the addresses .4 through .30, on either ASA in Static NAT (1 to 1 translation)?  Possibly even move them back and forth between ASAs?

How does the router know which as ASA it needs to forward the packet to if it is destined for .12 for example?  Does the ASA send out an ARP message for each of its static addresses that it is using?  They packets aren't broadcast to the subnet, are they?

Or is this a Layer 3 problem.  Do I have to segment my /27 into two /28's on my router (requiring an additional interface and use of another IP address)?

I was trying to debate if I could possibly model this in GNS3.

PS the reason for doing this is for dissaster recovery, moving servers between racks without changing IP address scheme (the private addressing scheme behind each ASA is identical), etc.

Thanks so much for the help,

Matt

CCNP, CCDP, CCIP, ASA Specialist               

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-07-2012 07:23 PM

Can I use any of the rest of the addresses .4 through .30, on either ASA  in Static NAT (1 to 1 translation)?  Possibly even move them back and  forth between ASAs?

--> YES you can

How does the router know which as ASA it needs to forward the packet to  if it is destined for .12 for example?  Does the ASA send out an ARP  message for each of its static addresses that it is using?  They packets  aren't broadcast to the subnet, are they?

--> YES, the ASA will send out an ARP to tell the router that it has that particular static address

Or is this a Layer 3 problem.  Do I have to segment my /27 into two  /28's on my router (requiring an additional interface and use of another  IP address)?

--> NO, you don't have to segment the /27 into /28

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-07-2012 07:23 PM

Can I use any of the rest of the addresses .4 through .30, on either ASA  in Static NAT (1 to 1 translation)?  Possibly even move them back and  forth between ASAs?

--> YES you can

How does the router know which as ASA it needs to forward the packet to  if it is destined for .12 for example?  Does the ASA send out an ARP  message for each of its static addresses that it is using?  They packets  aren't broadcast to the subnet, are they?

--> YES, the ASA will send out an ARP to tell the router that it has that particular static address

Or is this a Layer 3 problem.  Do I have to segment my /27 into two  /28's on my router (requiring an additional interface and use of another  IP address)?

--> NO, you don't have to segment the /27 into /28

0 Helpful

Go to solution
msunderland78
Level 1
Level 1
In response to Jennifer Halim

‎06-08-2012 08:16 AM

Thanks Jennifer,

That is exactly what I was looking for.

We figured out while we had partially disabled the Static NAT addresses we were translating, we had not fully disabled them on the first of the two ASAs.  So when we tried to the use them on the second, the switch still thought the first had the address (since it did).  The minute we fully disabled it, the CAM table updated ... and whalla, it began working correctly on the second ASA.

It is good to know Static NAT resolves via ARP.  I had a hard time finding any good documentation on Static NAT ARP resolution.  Does such a thing exsist?  Maybe it is just in the RFC.

THANKS AGAIN!

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to msunderland78

‎06-08-2012 08:24 AM

Good to know all is working. Thanks for the update.

Here is what you are looking for

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517975

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card