[AusNOG] Cisco ASA question

Alex Samad - Yieldbroker Alex.Samad at yieldbroker.com
Thu Apr 3 15:57:43 EST 2014 

     ++    
     |R0|                                      1.2.3.254/24
     ++                                      

   1.2.3.0/24                                    Public 
                                                 
+-------------------+         object nat for     
       .1 & .2                                              .10,.11,.12,.13,.14
     ++                                                       etc                
     |R1|                                      
     ++                                      
                                                 
 +---------------+                               
     10.0.0.0/24                                 
                                                 
                                                 
                                                 
+-----------------+                              
                                                 
     ++              1.2.3.129/32       
     |R2|              on loopback        
     ++                                 


1.2.3.0/24 - is a public routable network
R0 is a router on 1.2.3.0/24 network
R1 is the ASA int internet is on network 1.2.3.0/24 has .1 & .2 assign to it (asa cluster), it also has the DGW via 1.2.3.254
R2 is a router inside my network and advertises 1.2.3.129/32 via OSPF, which R1 picks up on interface internal 

10.0.0.0/24 is used on the internal R1 interface

so if R0 tries to send a packet to 1.2.3.129 will the ASA (R1) reply to arp requests and will it then route it internally if I use identity nat or the nat exemption some people have suggest

Thanks to Eric for the link to asci draw. I think though that outlook kills it :(

A





> -----Original Message-----
> From: Alex Samad - Yieldbroker
> Sent: Thursday, 3 April 2014 2:26 PM
> To: ausnog at lists.ausnog.net
> Subject: Cisco ASA question
> 
> Hi
> 
> I have a Cisco ASA question for the list.
> 
> I have a 5520 (cluster)
> 
> int Internet
> int internal
> 
> on the internet I have my dGW to the internet, I also have my own class c,
> lets say 1.2.3.0/24
> 
> I have a few object nat's defined for 1.2.3.x/24
> 
> I am going to start moving the NAT function away from the ASA.
> 
> I have a router inside my network with 1.2.3.129/32 on a look back interface
> and its advertised internally via OSPF. It can be seen on the ASA
> 
> From my reading I believe I can get the ASA to forward and not nat for .129 if
> I use Identity NAT
> 
> But I can't find any examples for mixed Object NAT and identity NAT And I
> am not sure the identity NAT will respond to ARP on the internet interface
> And I presume I have to add the right permit.
> 
> I asked at the cisco forums, but the only person to respond said I couldn't do
> the /32 trick ...
> 
> So I am come to the list
> 
> Thanks in advance
> 
> Alex

More information about the AusNOG mailing list