Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Cisco ASA: Don't NAT routes anounced via OSPF (http://www.velocityreviews.com/forums/t744165-cisco-asa-dont-nat-routes-anounced-via-ospf.html)

Thomas Glanzmann 02-25-2011 04:45 AM

Cisco ASA: Don't NAT routes anounced via OSPF
 
Hello,
I'm running a Cisco ASA5505 with Software Version 8.4(1) and one
interface. I'm using it as an SSLVPN Endpoint. The ASA has a public ip
address and give the pool 10.11.11.0/24 to its SSLVPN clients. The ASA can
also reach a router other than the default router in the network which
propagates ca. 56 routes via OSPF. I would like to tell the ASA to nat
everything that goes out to the internet (default router) but don't NAT for the
addresses anounced via OSPF. My configuration so far is:

Define Networks (used for NAT exceptions):

object network VPNaddresses
subnet 10.11.11.0 255.255.255.0
object network VLaddresses
subnet 10.10.10.0 255.255.255.0
object network R28addresses
subnet 192.168.0.0 255.255.255.0
....

NAT exceptions:

nat (inside,any) source static VPNaddresses VPNaddresses destination static VPNaddresses VPNaddresses
nat (inside,any) source static VPNaddresses VPNaddresses destination static R28addresses R28addresses
nat (inside,any) source static VPNaddresses VPNaddresses destination static VLaddresses VLaddresses
....

And a NAT rule for the SSLVPN clients:

object network VPNaddresses
nat (inside,inside) dynamic interface

This works perfectly fine, but everytime a new route is anounced, I have to
manually patch up the exceptions. I would like to tell the ASA to apply the NAT
exceptions automatically using the OSPF announced prefix list. In IOS I did
exactly this using route maps. I spend one evening try to configure NAT
exceptions for the ASA using OSPF routes, but failed because the nat exceptions
only take network object and I wasn't unable to find out how to include the
ospf routes into a network object.

Regarding OSPF, I have one other issue: If I tell the ASA to propagate the
route to the network 10.11.11.0/24 (SSLVPN Clients), it does not add itself as
the default router but the default router of the network the ASA resides in.
Also when I look at the routing table it looks like this:

O E2 192.168.60.0 255.255.255.0 [110/20] via 1.2.3.67, 46:47:05, inside
S 10.11.11.1 255.255.255.255 [1/0] via 1.2.3.65, inside
C 1.2.3.64 255.255.255.224 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 1.2.3.65, inside

As you can see the default router for 10.11.11.0/24 (SSLVPN Clients) is the
default router of the ASA and not the ASA itself. From my understanding it
should be the ASA itself.

So my questions boil down to the following:

- How to tell the ASA not to NAT to destination addresses that are
announced via OSPF for the SSLVPN Clients?

- How to tell the ASA to propagate the route to the SSLVPN clients via
OSPF with the right default router (itself)?

Cheers,
Thomas


All times are GMT. The time now is 02:26 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.