Solved

Redistributing a route for a NATED subnet via eigrp/ospf

Posted on 2015-02-04
8
252 Views
Last Modified: 2015-02-09
Hi,

I am using a Cisco ASA5505 version 9.2 and here's my problem

The ASA5505 is connected to 3 networks

Example
outside: vlan lan trunk to multiple networks
Inside: 192.168.1.0/24
DMZ: 192.168.50.0/24

NATED adresses: 10.1.1.0/29 (10.1.1.1 to 10.1.1.14) to servers in the 192.168.50.0/24 subnet

I need to advertise via eigrp and ospf on the outside interface the 10.1.1.0/29 network.
I cannot create a loopback on the ASA it's not supported

How can I achieve this ?
0
Comment
Question by:fox54
  • 3
  • 3
  • 2
8 Comments
 
LVL 26

Expert Comment

by:Predrag Jovic
Comment Utility
You should be able to create static routes and advertise/redistribute them over ospf and eigrp.
You need to create routes to interfaces (not to next hop address) -  this is also considered a connected route.

example

    ip route 172.30.0.0 255.255.255.0 eth0/0

    router eigrp 1
     network 172.30.0.0
     no auto-summary

    router ospf 1
    redistribute static metric xxx subnets
0
 
LVL 11

Expert Comment

by:naderz
Comment Utility
So, your outside interface is "trunked" to another device and 10.1.1.0/29 is one of the subinterfaces on the trunk? What is the IP address of that interface carrying the 10.1.1.0/29? Can you use an address in the 10.1.1.0/29 range for the interface? If you can, then all you have to do is advertize the 10.1.1.0/29 via either EIGRP or OSPF network statement.
0
 

Author Comment

by:fox54
Comment Utility
Hi,

For routing to interface=Not supported on ASA

No I cannot use the IP on the outside interface itself.  This will clarify the whole configuration.  Forget the 10.1.1.0/29 network.  It's the 10.1.1.64/28 netwotk that I need to advertise NATED to some host in the 192.168.50.0/24 subnet

Here's the actual configuration and route of the outside interface:

The outside interface in is trunk mode allowing VLAN 10 and 20

10.1.1.0 255.255.255.248 directly connected, Vlan10
10.1.1.4 255.255.255.255 directly connetced, VLAN10
10.1.1.4 255.255.255.255 directly connected, Vlan20
10.1.1.8 255.255.255.248 direcltly connected, VLAN20
101.1.12 255.255.255.255 directly connected, VLAN20
192.168.1.0 255.2552.255.0 is directly connected, inside
192.168.1.254 255.255.255.255 is directly conected, inside
192.168.50.0 255.255.255.0 is direclty connected, DMZ
192.168.50.254 255.255.255.255 is directcly connected, DMZ
x.x.x.x.x 255.255.255.0 via 10.1.1.10, VLAN10
y.y.y.y.y 255.255.255.0 via 10.1.1.10 VLAN10
and so on

I cannot connect the 10.1.1.64/29 directly.  It needs to be NATED to some hosts on the 192.168.50.0/24 subnet .
And I must advertise the 10.1.1.64/29 via eigrp/ospf so the others networks reachable on the outside interface can connect to it.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
Comment Utility
Yes, you're right .. all configure examples are here
ASA 9.2
Configuring static route
Redistribute static routes into ospf
Redistribute static routes into eigrp
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:fox54
Comment Utility
Yes seems that it helps a little but I am not really sure how to implement it

What is the static route that I need to define for the 10.1.1.0/29 ?  What would be the interface and the Gateway address ?


It has to be advertised on the VLAN10 and VLAN 20
0
 
LVL 11

Expert Comment

by:naderz
Comment Utility
Can you post the output for each one of these commands? Don't edit anything.

sh run interface
sh run route
sh run router

You may have to put a router in front of the ASA.
0
 

Author Comment

by:fox54
Comment Utility
Hi,

It's a lab test (before installation).  I cannot give you the full output.

There's a Cisco 1811 connected to the outside interface of the ASA5505.  The router is advertising  routes to some other networks connected to it's 8 interfaces

Here's an edited example

ASA5505
interface Ethernet0/0
 switchport trunk allowed vlan 10,20
 switchport mode trunk
!

interface Vlan10
  nameif  External-Network_VLAN10
 security-level 100
 ip address 10.1.1.4 255.255.255.248
!
interface Vlan20
  nameif External-Network_VLAN20
 security-level 100
 ip address 10.1.1.12 255.255.255.248



I configured a static route for my NATED range

route External-Network_VLAN10 10.1.1.64 255.255.255.192 10.20.41.2

This point the route to the IP of VLAN10 of the Cisco 1811 connected to the outside interface of the ASA.
It's works.  but I also tried to add the route like this:

route External-Network_VLAN20 10.1.1.64 255.255.255.192 10.20.41.10
This point the route to the IP of VLAN20 of the Cisco 1811 connected to the outside interface of the ASA.

Both scenario works !.  Route for my NATED 10.1.1.64/28 is redistributed and connectivity is established with my host behind the NAT

I found that weird that either route I added did the job. Am I missing something ?
0
 
LVL 11

Accepted Solution

by:
naderz earned 500 total points
Comment Utility
No, actually you are not missing anything! It's just that ASA/Firewalls are not intended for this type of scenario and you usually see a router in front of the firewall taking care of this.

What you have noticed, and made work, is the fact that a route will not be advertized in a routing protocol (e.g. EIGRP or OSPF) if that route does not exist in the device's routing table (in this case the ASA).

By placing the static route (usually using routers this is done by static to null0; ASAs cannot do that) you have effectively placed the route in the routing table used by the ASA and therefore it will be advertized via EIGRP/OSPF.

Nice challenge!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now