NAT - Router and ASA setup

Unanswered Question
Mar 22nd, 2007

I'm a little confused on how to set up NAT and where. My router has an ip of My public IP range is to of usable IPs. At the current moment the router forwards the traffic to a hub and from there it goes into a device that is assigned one of my usable IPs.

I bought a ASA5505 and the scheme changes. I can either take one of my IPs and assign it to the OUTSIDE interface of the firewall and NAT inside the firewall or

NAT inside the router as well as inside the firewall...

Which is the recommended setup, what are the ramifications. Any other options that I am missing?

ASA interfaces:

0 -outside

1 -DMZ

2 -inside

4 -mgmt

Thank you for your help,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
m.matteson Thu, 03/22/2007 - 09:58

You can set up NAT on either one i wouldn't really matter and it would still work. I would suggest configuration NAT on your ASA if you have the public ip addresses to spare on assigning them to the routing interfaces. Just have the router route and it will be a less headache for you later on in the future. hth.

chrismisztur Thu, 03/22/2007 - 10:52

Thanks, that was helpful.

So if my router's e0 IP is then I can make the ASAs OUTSIDE int How will the router know to forward traffic destined for to the ASA Outside interface?

chrismisztur Thu, 03/22/2007 - 12:56 is the webserver (accessible from Internet). I will use as the NATted address. is the entry point to my network is the Outside int on ASA is the DMZ int on ASA (where webserver is hooked up)

I assigned a static(outside,dmz) netmask and static(dmz,static) netmask

I changed the webserver TCP/IP to

but my setup does not work.

chrismisztur Thu, 03/22/2007 - 14:24

So I tried using ACLs , statics, and PAT to get this to work, none seem to work.

When I try to ping 66.999.999.62 from the router it succeeds.

When I try to ping 66.999.999.58 (web server) from the router it fails.

It's like the router does not know that 66.999.999.58 is behind the 66.999.999.62 ASA OUTSIDE interface...!!!

Do I need to change the router config to make it aware that 66.999.999.62 (web server) is behind the ASA?



This Discussion