Search this Blog

Monday, December 2, 2013

Is it possible to create the insert the routes in OSPF without braking NAT?


The Cisco ASA basically has a /19 public address space for it's disposal. While changing from static routes to OSPF it became apparent that only subnets configured on interfaces are distributed over OSPF. The effect is that those addresses used for 1:1 NAT is that the routers in front of the ASA doesn't have a route to it.

Since the ASA doesn't support null interface, I can't create a null route to have it redistributed in the ospf process. The only work-around I have been able to come up with is using static routes on the routers for these networks, but if doing so and simulating that the internal nic on the router is down then it has no way of reaching there, albeit it's neighbor router, reachable over an interface for iBGP knows how to get there.

I'm thinking I might be able to setup the 1:1 NAT addresses (limited to that of two /24) on interfaces on the ASA. it would definitely have the routes inserted into ospf, but I'm unsure if that will break NAT.Changing from internal addresses with 1:1 nat to public addresses is not really an option, until all other options have been considered due to the sheer amount of work that would need to be done.

You used to be able to create a static route for the NAT pool on the ASA with a next-hop IP address of the ASA's outside interface, this could then be redistributed into the IGP. I think recent ASA code has prevented this behaviour as it detects that the next-hop IP address is its local interface.

You could try configuring reliable static routing on the edge routers so that in the event that the inside interface is down, or the outside interface of the ASA no longer responds to ICMP, the static route is removed and a floating static route with a higher AD is installed pointing to the second edge router.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

2 comments :

  1. Urika says,

    Hello dude, this is a very well delivery about insert the routes in OSPF without braking NAT and truly before read this concept I did not have any idea about in such way but your allocation helps me to know it. Thanks :)

    ReplyDelete

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */