Cisco ASA: Don't NAT routes anounced via OSPF

Discussion in 'Cisco' started by Thomas Glanzmann, Feb 25, 2011.

  1. Hello,
    I'm running a Cisco ASA5505 with Software Version 8.4(1) and one
    interface. I'm using it as an SSLVPN Endpoint. The ASA has a public ip
    address and give the pool 10.11.11.0/24 to its SSLVPN clients. The ASA can
    also reach a router other than the default router in the network which
    propagates ca. 56 routes via OSPF. I would like to tell the ASA to nat
    everything that goes out to the internet (default router) but don't NAT for the
    addresses anounced via OSPF. My configuration so far is:

    Define Networks (used for NAT exceptions):

    object network VPNaddresses
    subnet 10.11.11.0 255.255.255.0
    object network VLaddresses
    subnet 10.10.10.0 255.255.255.0
    object network R28addresses
    subnet 192.168.0.0 255.255.255.0
    ....

    NAT exceptions:

    nat (inside,any) source static VPNaddresses VPNaddresses destination static VPNaddresses VPNaddresses
    nat (inside,any) source static VPNaddresses VPNaddresses destination static R28addresses R28addresses
    nat (inside,any) source static VPNaddresses VPNaddresses destination static VLaddresses VLaddresses
    ....

    And a NAT rule for the SSLVPN clients:

    object network VPNaddresses
    nat (inside,inside) dynamic interface

    This works perfectly fine, but everytime a new route is anounced, I have to
    manually patch up the exceptions. I would like to tell the ASA to apply the NAT
    exceptions automatically using the OSPF announced prefix list. In IOS I did
    exactly this using route maps. I spend one evening try to configure NAT
    exceptions for the ASA using OSPF routes, but failed because the nat exceptions
    only take network object and I wasn't unable to find out how to include the
    ospf routes into a network object.

    Regarding OSPF, I have one other issue: If I tell the ASA to propagate the
    route to the network 10.11.11.0/24 (SSLVPN Clients), it does not add itself as
    the default router but the default router of the network the ASA resides in.
    Also when I look at the routing table it looks like this:

    O E2 192.168.60.0 255.255.255.0 [110/20] via 1.2.3.67, 46:47:05, inside
    S 10.11.11.1 255.255.255.255 [1/0] via 1.2.3.65, inside
    C 1.2.3.64 255.255.255.224 is directly connected, inside
    S* 0.0.0.0 0.0.0.0 [1/0] via 1.2.3.65, inside

    As you can see the default router for 10.11.11.0/24 (SSLVPN Clients) is the
    default router of the ASA and not the ASA itself. From my understanding it
    should be the ASA itself.

    So my questions boil down to the following:

    - How to tell the ASA not to NAT to destination addresses that are
    announced via OSPF for the SSLVPN Clients?

    - How to tell the ASA to propagate the route to the SSLVPN clients via
    OSPF with the right default router (itself)?

    Cheers,
    Thomas
    Thomas Glanzmann, Feb 25, 2011
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lars Jorgensen
    Replies:
    3
    Views:
    2,858
    Ivan Ostres
    May 21, 2004
  2. Arthur Lipscomb

    The Pirate Movie Anounced!!!!!!!!!!!!!

    Arthur Lipscomb, Sep 19, 2004, in forum: DVD Video
    Replies:
    9
    Views:
    390
    Arthur Lipscomb
    Oct 15, 2004
  3. linguafr
    Replies:
    0
    Views:
    1,273
    linguafr
    May 30, 2007
  4. Bruce

    Finally, the Canon G12 is officially anounced.

    Bruce, Sep 14, 2010, in forum: Digital Photography
    Replies:
    2
    Views:
    306
    Whisky-dave
    Sep 15, 2010
  5. fashion t shirts seller
    Replies:
    0
    Views:
    1,081
    fashion t shirts seller
    Jun 13, 2011
Loading...

Share This Page