Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Public Pool, 2 ASAs, Static NAT ...

I am looking for help on a mixture of Routing and Switching and Firewalling ...

So I have a router connected to the ISP ... the router is also connected to a switch.  Into that switch I have pugged two ASAs.  A 5505 and 5520.

I was given a /27 (255.255.255.224), 30 address block from the ISP.  Let's say the last octet of the router is .1, the ASA#1 is .2, and ASA #2 is .3.

Now I wan't to use the rest of the addresses for Static NAT (the IP addresses are publically registered to their own domain names).

Can I use any of the rest of the addresses .4 through .30, on either ASA in Static NAT (1 to 1 translation)?  Possibly even move them back and forth between ASAs?

How does the router know which as ASA it needs to forward the packet to if it is destined for .12 for example?  Does the ASA send out an ARP message for each of its static addresses that it is using?  They packets aren't broadcast to the subnet, are they?

Or is this a Layer 3 problem.  Do I have to segment my /27 into two /28's on my router (requiring an additional interface and use of another IP address)?

I was trying to debate if I could possibly model this in GNS3.

PS the reason for doing this is for dissaster recovery, moving servers between racks without changing IP address scheme (the private addressing scheme behind each ASA is identical), etc.

Thanks so much for the help,

Matt

CCNP, CCDP, CCIP, ASA Specialist               

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Public Pool, 2 ASAs, Static NAT ...

Can I use any of the rest of the addresses .4 through .30, on either ASA  in Static NAT (1 to 1 translation)?  Possibly even move them back and  forth between ASAs?

--> YES you can

How does the router know which as ASA it needs to forward the packet to  if it is destined for .12 for example?  Does the ASA send out an ARP  message for each of its static addresses that it is using?  They packets  aren't broadcast to the subnet, are they?

--> YES, the ASA will send out an ARP to tell the router that it has that particular static address

Or is this a Layer 3 problem.  Do I have to segment my /27 into two  /28's on my router (requiring an additional interface and use of another  IP address)?

--> NO, you don't have to segment the /27 into /28

3 REPLIES
Cisco Employee

Public Pool, 2 ASAs, Static NAT ...

Can I use any of the rest of the addresses .4 through .30, on either ASA  in Static NAT (1 to 1 translation)?  Possibly even move them back and  forth between ASAs?

--> YES you can

How does the router know which as ASA it needs to forward the packet to  if it is destined for .12 for example?  Does the ASA send out an ARP  message for each of its static addresses that it is using?  They packets  aren't broadcast to the subnet, are they?

--> YES, the ASA will send out an ARP to tell the router that it has that particular static address

Or is this a Layer 3 problem.  Do I have to segment my /27 into two  /28's on my router (requiring an additional interface and use of another  IP address)?

--> NO, you don't have to segment the /27 into /28

New Member

Public Pool, 2 ASAs, Static NAT ...

Thanks Jennifer,

That is exactly what I was looking for.

We figured out while we had partially disabled the Static NAT addresses we were translating, we had not fully disabled them on the first of the two ASAs.  So when we tried to the use them on the second, the switch still thought the first had the address (since it did).  The minute we fully disabled it, the CAM table updated ... and whalla, it began working correctly on the second ASA.

It is good to know Static NAT resolves via ARP.  I had a hard time finding any good documentation on Static NAT ARP resolution.  Does such a thing exsist?  Maybe it is just in the RFC.

THANKS AGAIN!

Cisco Employee

Public Pool, 2 ASAs, Static NAT ...

Good to know all is working. Thanks for the update.

Here is what you are looking for

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517975

413
Views
0
Helpful
3
Replies
CreatePlease login to create content