[AusNOG] Cisco ASA question

Alex Samad - Yieldbroker Alex.Samad at yieldbroker.com
Sat Apr 5 22:05:26 EST 2014 

Hi

Just to follow up. Got it to work

NAT exemption and Identity NAT worked out to be the same thing (sort of )

So now I have the ASA on 1 interface
*) with ip address assigned to the interface
*) arp replying for Object NAT 
*) arp replying for Identity NAT and it is using the routing table not the assign interface ! (this covered it https://supportforums.cisco.com/document/44566/asa-83-nat-exemption-example-basic-l2l-vpn-and-basic-ra-vpn)


Thanks for the pointers to exemption NAT.

Alex

> -----Original Message-----
> From: Alex Samad - Yieldbroker
> Sent: Thursday, 3 April 2014 3:58 PM
> To: ausnog at lists.ausnog.net
> Subject: RE: Cisco ASA question
> 
>      ++
>      |R0|                                      1.2.3.254/24
>      ++
> 
>    1.2.3.0/24                                    Public
> 
> +-------------------+         object nat for
>        .1 & .2                                              .10,.11,.12,.13,.14
>      ++                                                       etc
>      |R1|
>      ++
> 
>  +---------------+
>      10.0.0.0/24
> 
> 
> 
> +-----------------+
> 
>      ++              1.2.3.129/32
>      |R2|              on loopback
>      ++
> 
> 
> 1.2.3.0/24 - is a public routable network
> R0 is a router on 1.2.3.0/24 network
> R1 is the ASA int internet is on network 1.2.3.0/24 has .1 & .2 assign to it (asa
> cluster), it also has the DGW via 1.2.3.254
> R2 is a router inside my network and advertises 1.2.3.129/32 via OSPF, which
> R1 picks up on interface internal
> 
> 10.0.0.0/24 is used on the internal R1 interface
> 
> so if R0 tries to send a packet to 1.2.3.129 will the ASA (R1) reply to arp
> requests and will it then route it internally if I use identity nat or the nat
> exemption some people have suggest
> 
> Thanks to Eric for the link to asci draw. I think though that outlook kills it :(
> 
> A
> 
> 
> 
> 
> 
> > -----Original Message-----
> > From: Alex Samad - Yieldbroker
> > Sent: Thursday, 3 April 2014 2:26 PM
> > To: ausnog at lists.ausnog.net
> > Subject: Cisco ASA question
> >
> > Hi
> >
> > I have a Cisco ASA question for the list.
> >
> > I have a 5520 (cluster)
> >
> > int Internet
> > int internal
> >
> > on the internet I have my dGW to the internet, I also have my own
> > class c, lets say 1.2.3.0/24
> >
> > I have a few object nat's defined for 1.2.3.x/24
> >
> > I am going to start moving the NAT function away from the ASA.
> >
> > I have a router inside my network with 1.2.3.129/32 on a look back
> > interface and its advertised internally via OSPF. It can be seen on
> > the ASA
> >
> > From my reading I believe I can get the ASA to forward and not nat for
> > .129 if I use Identity NAT
> >
> > But I can't find any examples for mixed Object NAT and identity NAT
> > And I am not sure the identity NAT will respond to ARP on the internet
> > interface And I presume I have to add the right permit.
> >
> > I asked at the cisco forums, but the only person to respond said I
> > couldn't do the /32 trick ...
> >
> > So I am come to the list
> >
> > Thanks in advance
> >
> > Alex

More information about the AusNOG mailing list