Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco ASA: Don't NAT routes anounced via OSPF

Reply
Thread Tools

Cisco ASA: Don't NAT routes anounced via OSPF

 
 
Thomas Glanzmann
Guest
Posts: n/a
 
      02-25-2011
Hello,
I'm running a Cisco ASA5505 with Software Version 8.4(1) and one
interface. I'm using it as an SSLVPN Endpoint. The ASA has a public ip
address and give the pool 10.11.11.0/24 to its SSLVPN clients. The ASA can
also reach a router other than the default router in the network which
propagates ca. 56 routes via OSPF. I would like to tell the ASA to nat
everything that goes out to the internet (default router) but don't NAT for the
addresses anounced via OSPF. My configuration so far is:

Define Networks (used for NAT exceptions):

object network VPNaddresses
subnet 10.11.11.0 255.255.255.0
object network VLaddresses
subnet 10.10.10.0 255.255.255.0
object network R28addresses
subnet 192.168.0.0 255.255.255.0
....

NAT exceptions:

nat (inside,any) source static VPNaddresses VPNaddresses destination static VPNaddresses VPNaddresses
nat (inside,any) source static VPNaddresses VPNaddresses destination static R28addresses R28addresses
nat (inside,any) source static VPNaddresses VPNaddresses destination static VLaddresses VLaddresses
....

And a NAT rule for the SSLVPN clients:

object network VPNaddresses
nat (inside,inside) dynamic interface

This works perfectly fine, but everytime a new route is anounced, I have to
manually patch up the exceptions. I would like to tell the ASA to apply the NAT
exceptions automatically using the OSPF announced prefix list. In IOS I did
exactly this using route maps. I spend one evening try to configure NAT
exceptions for the ASA using OSPF routes, but failed because the nat exceptions
only take network object and I wasn't unable to find out how to include the
ospf routes into a network object.

Regarding OSPF, I have one other issue: If I tell the ASA to propagate the
route to the network 10.11.11.0/24 (SSLVPN Clients), it does not add itself as
the default router but the default router of the network the ASA resides in.
Also when I look at the routing table it looks like this:

O E2 192.168.60.0 255.255.255.0 [110/20] via 1.2.3.67, 46:47:05, inside
S 10.11.11.1 255.255.255.255 [1/0] via 1.2.3.65, inside
C 1.2.3.64 255.255.255.224 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 1.2.3.65, inside

As you can see the default router for 10.11.11.0/24 (SSLVPN Clients) is the
default router of the ASA and not the ASA itself. From my understanding it
should be the ASA itself.

So my questions boil down to the following:

- How to tell the ASA not to NAT to destination addresses that are
announced via OSPF for the SSLVPN Clients?

- How to tell the ASA to propagate the route to the SSLVPN clients via
OSPF with the right default router (itself)?

Cheers,
Thomas
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Finally, the Canon G12 is officially anounced. Bruce Digital Photography 2 09-15-2010 12:08 PM
Cisco 2611, NAT, and Default Routes seanovision Cisco 2 06-20-2007 03:45 AM
OSPF and Static routes convergence maher Cisco 3 12-23-2004 01:48 AM
The Pirate Movie Anounced!!!!!!!!!!!!! Arthur Lipscomb DVD Video 9 10-15-2004 05:06 AM
PIX OSPF routes don't show up on my internal network. Lars Jorgensen Cisco 3 05-21-2004 02:47 PM



Advertisments