19

Device arrangement is as follows:

   BGP Peers
       +
       |
       |
+------+-------+
|              |
| Juniper MX5  |
|              |
+------+-------+
       |.254
  OSPF | 10.0.1.0/24
       |.1
+------+-------+
|              |
|  Cisco ASA   | ASA NAT
|              | 10.0.0.1 <> 134.0.15.1
+------+-------+
       |.254
       |10.0.0.0/24
       |.1
+------+-------+
|              |
|    HOST1     |
|              |
+--------------+

If you have the ASA performing NAT to address space that is not statically routed to it, how do you get the NAT'd addresses announced in to the OSPF zone so the router at the top (Juniper MX5) knows how to reach it?

(FYI this is a largely simplified slice out of a much larger network purely to demonstrate the components involved in this problem)

SimonJGreen
  • 1,675
  • 12
  • 29
  • Does the Juniper router have an IP in the same subnet as 134.0.15.1? – PacketWrangler May 07 '13 at 21:42
  • @PacketWrangler no it's a private network w/OSPF as the routing protocol. I've tweaked the diagram for clarity. – SimonJGreen May 07 '13 at 21:44
  • If you've got 10.0.1.0/24 on one side and 10.0.0.0/24 on the other, how does 134.0.15.1 fit into your routing at all? – Paul Gear May 08 '13 at 07:53
  • BGP to the MX5 and then OSPF to internal devices. That's exactly the question :) – SimonJGreen May 08 '13 at 09:21
  • Can I ask why you are doing NAT in the ASA? It seems to me you would be better served by just using 134.0.15.0/24 (assuming you have a /24) on your hosts behind the ASA and avoid NAT. Then instead of 10.0.0.254 on the ASA "inside" you would put 134.0.15.254 and then assign your host 134.0.15.1. Then configure OSPF on the ASA and it would advertise that it has 134.0.15.0/24 to the MX5. – PacketWrangler May 08 '13 at 14:04
  • Conservation of address space. I have massively simplified the above scenario, we are an ISP and giving public address space out for DB servers is unnecesary. – SimonJGreen May 08 '13 at 17:32

2 Answers2

16

Typically you would install a static route on the upstream device (the Juniper MX5 in this example) pointing to the NAT outside network, rather than trying to advertise the network from the ASA. At least, that's how I always go about it.

Jeremy Stretch
  • 4,718
  • 1
  • 31
  • 42
  • So, for example, I could set aside a "pool" of addresses for NAT and static route to them from the MX5? How does this scale to multiple upstream devices, and also east<>west if there's other downstream devices in the OSPF zone? – SimonJGreen May 07 '13 at 21:45
1

I originally wan't going to post on here because this question is answered, but after seeing your other post about moving the static routes into your OSPF session I thought this might circumvent that problem.

In the ASA you can create a static route for your public address space (Let's say 134.0.15.0/30) and redistribute that route into OSPF. Assuming you have the proper config to establish an OSPF session on the "Outside" interface then it will advertise the static route north.

Note: This will also advertise the route to any peers on the "Inside" interface as well. This shouldn't be an issue other than you'll see it in the device's routing tables.

bigmstone
  • 1,847
  • 13
  • 17