NAT - Router and ASA setup

Unanswered Question
Mar 22nd, 2007
User Badges:

I'm a little confused on how to set up NAT and where. My router has an ip of My public IP range is to of usable IPs. At the current moment the router forwards the traffic to a hub and from there it goes into a device that is assigned one of my usable IPs.

I bought a ASA5505 and the scheme changes. I can either take one of my IPs and assign it to the OUTSIDE interface of the firewall and NAT inside the firewall or

NAT inside the router as well as inside the firewall...

Which is the recommended setup, what are the ramifications. Any other options that I am missing?

ASA interfaces:

0 -outside

1 -DMZ

2 -inside

4 -mgmt

Thank you for your help,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
m.matteson Thu, 03/22/2007 - 09:58
User Badges:

You can set up NAT on either one i wouldn't really matter and it would still work. I would suggest configuration NAT on your ASA if you have the public ip addresses to spare on assigning them to the routing interfaces. Just have the router route and it will be a less headache for you later on in the future. hth.

chrismisztur Thu, 03/22/2007 - 10:52
User Badges:

Thanks, that was helpful.

So if my router's e0 IP is then I can make the ASAs OUTSIDE int How will the router know to forward traffic destined for to the ASA Outside interface?

chrismisztur Thu, 03/22/2007 - 12:56
User Badges: is the webserver (accessible from Internet). I will use as the NATted address. is the entry point to my network is the Outside int on ASA is the DMZ int on ASA (where webserver is hooked up)

I assigned a static(outside,dmz) netmask and static(dmz,static) netmask

I changed the webserver TCP/IP to

but my setup does not work.

chrismisztur Thu, 03/22/2007 - 14:24
User Badges:

So I tried using ACLs , statics, and PAT to get this to work, none seem to work.

When I try to ping 66.999.999.62 from the router it succeeds.

When I try to ping 66.999.999.58 (web server) from the router it fails.

It's like the router does not know that 66.999.999.58 is behind the 66.999.999.62 ASA OUTSIDE interface...!!!

Do I need to change the router config to make it aware that 66.999.999.62 (web server) is behind the ASA?



This Discussion