Hello, I'm running a Cisco ASA5505 with Software Version 8.4(1) and one interface. I'm using it as an SSLVPN Endpoint. The ASA has a public ip address and give the pool 10.11.11.0/24 to its SSLVPN clients. The ASA can also reach a router other than the default router in the network which propagates ca. 56 routes via OSPF. I would like to tell the ASA to nat everything that goes out to the internet (default router) but don't NAT for the addresses anounced via OSPF. My configuration so far is:
Define Networks (used for NAT exceptions):
object network VPNaddresses subnet 10.11.11.0 255.255.255.0 object network VLaddresses subnet 10.10.10.0 255.255.255.0 object network R28addresses subnet 192.168.0.0 255.255.255.0 ...
nat (inside,any) source static VPNaddresses VPNaddresses destination static VPNaddresses VPNaddresses nat (inside,any) source static VPNaddresses VPNaddresses destination static R28addresses R28addresses nat (inside,any) source static VPNaddresses VPNaddresses destination static VLaddresses VLaddresses ...
And a NAT rule for the SSLVPN clients:
object network VPNaddresses nat (inside,inside) dynamic interface
This works perfectly fine, but everytime a new route is anounced, I have to manually patch up the exceptions. I would like to tell the ASA to apply the NAT exceptions automatically using the OSPF announced prefix list. In IOS I did exactly this using route maps. I spend one evening try to configure NAT exceptions for the ASA using OSPF routes, but failed because the nat exceptions only take network object and I wasn't unable to find out how to include the ospf routes into a network object.
Regarding OSPF, I have one other issue: If I tell the ASA to propagate the route to the network 10.11.11.0/24 (SSLVPN Clients), it does not add itself as the default router but the default router of the network the ASA resides in. Also when I look at the routing table it looks like this:
O E2 192.168.60.0 255.255.255.0 [110/20] via 220.127.116.11, 46:47:05, inside S 10.11.11.1 255.255.255.255 [1/0] via 18.104.22.168, inside C 22.214.171.124 255.255.255.224 is directly connected, inside S* 0.0.0.0 0.0.0.0 [1/0] via 126.96.36.199, inside
As you can see the default router for 10.11.11.0/24 (SSLVPN Clients) is the default router of the ASA and not the ASA itself. From my understanding it should be the ASA itself.
So my questions boil down to the following:
- How to tell the ASA not to NAT to destination addresses that are announced via OSPF for the SSLVPN Clients?
- How to tell the ASA to propagate the route to the SSLVPN clients via OSPF with the right default router (itself)?