eigrp with ASA and NAT

Everything is working.    This is just me trying to understand exactly how.   We have a cisco asa for the internal network running eigrp.   On the inside we have some layer 3 switches also running Eigrp.   On the outside interface is a router connected to an ISP.   This router to the isp is also running Eigrp to peer with the ASA on the outside interface.   (this router to the isp is also running BGP to peer wit the isp).  

We're also natting on the asa so that all internal networks are translated to the outside address of the ASA.  It seems to be working fine.  The internal networks seem to be exchanged without any issue with the router connected to the isp.   I guess my question is wouldn't the router to the isp see any traffic coming from the outside interface of the ASA as the address of the ASA and not the internal routes?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ffleismaSenior Network EngineerCommented:
That is most likely. Depending on your NAT configuration and setup, the router upstream of the ASA only see the public IP address assigned to your ASA, then all internal subnets (private IP) are NATed to this public IP.

This public IP can be the ASA outside interface IP address, or another public IP address assigned by your ISP in which the ASA has been setup to do NATing for.

you can check out websites to view your public IP.


then you can compare it with your ASA configuration. You can also do a simple google search "whats my IP", and that will give you the public IP you are using.

Be glad to help you out in case you have further questions.
techlindenAuthor Commented:
After i posted this comment, i think i had a revelation.  In terms of routing it doesn't really matter that the upstream router sees the natted address. The correct routes are still being advertised via eigrp.    I'm created a dmvpn to connect this datacenter to our current one.   I need to create a nat exemption then for internal traffic coming from behind the firewall to our existing datacenter correct?   so that the traffic doesn't get natted?
ffleismaSenior Network EngineerCommented:
Yes that would be correct, as DMVPN is currently only supported on IOS. But be careful and take note of the following.

the ACL pertaining to your NAT exempt should be specific for source/destination, as you might break your internet access
take note of the order of your NAT. Depending on your ASA software version, you'll have to ensure that the NAT-exempt is executed before the NAT/PAT to ASA "outside" interface.
the upstream router will have route knowledge of the private subnet, this is done via EIGRP or static route configured on the router. this might be something you'll have to coordinate with your ISP if they are managing the said router. it also has to be made sure that the ISP router is not announcing the private subnet to the internet.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
techlindenAuthor Commented:
I bet that's why it wasn't working....because the nat-exempt was executed after the other nat and not before.    Just found out that mgt wants to put the dmvpn router behind the firewall in the dmz so we're in the process of configuring a different router for dmvpn.     Should be fun.  luckily we have a 3rd party that can help with the ASA portion.    Thanks for your help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.