eigrp with ASA and NAT

Everything is working.    This is just me trying to understand exactly how.   We have a cisco asa for the internal network running eigrp.   On the inside we have some layer 3 switches also running Eigrp.   On the outside interface is a router connected to an ISP.   This router to the isp is also running Eigrp to peer with the ASA on the outside interface.   (this router to the isp is also running BGP to peer wit the isp).  

We're also natting on the asa so that all internal networks are translated to the outside address of the ASA.  It seems to be working fine.  The internal networks seem to be exchanged without any issue with the router connected to the isp.   I guess my question is wouldn't the router to the isp see any traffic coming from the outside interface of the ASA as the address of the ASA and not the internal routes?
Who is Participating?
ffleismaSenior Network EngineerCommented:
Yes that would be correct, as DMVPN is currently only supported on IOS. But be careful and take note of the following.

the ACL pertaining to your NAT exempt should be specific for source/destination, as you might break your internet access
take note of the order of your NAT. Depending on your ASA software version, you'll have to ensure that the NAT-exempt is executed before the NAT/PAT to ASA "outside" interface.
the upstream router will have route knowledge of the private subnet, this is done via EIGRP or static route configured on the router. this might be something you'll have to coordinate with your ISP if they are managing the said router. it also has to be made sure that the ISP router is not announcing the private subnet to the internet.
ffleismaSenior Network EngineerCommented:
That is most likely. Depending on your NAT configuration and setup, the router upstream of the ASA only see the public IP address assigned to your ASA, then all internal subnets (private IP) are NATed to this public IP.

This public IP can be the ASA outside interface IP address, or another public IP address assigned by your ISP in which the ASA has been setup to do NATing for.

you can check out websites to view your public IP.


then you can compare it with your ASA configuration. You can also do a simple google search "whats my IP", and that will give you the public IP you are using.

Be glad to help you out in case you have further questions.
techlindenAuthor Commented:
After i posted this comment, i think i had a revelation.  In terms of routing it doesn't really matter that the upstream router sees the natted address. The correct routes are still being advertised via eigrp.    I'm created a dmvpn to connect this datacenter to our current one.   I need to create a nat exemption then for internal traffic coming from behind the firewall to our existing datacenter correct?   so that the traffic doesn't get natted?
techlindenAuthor Commented:
I bet that's why it wasn't working....because the nat-exempt was executed after the other nat and not before.    Just found out that mgt wants to put the dmvpn router behind the firewall in the dmz so we're in the process of configuring a different router for dmvpn.     Should be fun.  luckily we have a 3rd party that can help with the ASA portion.    Thanks for your help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.