cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
879
Views
3
Helpful
6
Replies

NAT - Router and ASA setup

chrismisztur
Level 1
Level 1

I'm a little confused on how to set up NAT and where. My router has an ip of 1.1.1.1. My public IP range is 1.1.1.1 to 1.1.1.6 of usable IPs. At the current moment the router forwards the traffic to a hub and from there it goes into a device that is assigned one of my usable IPs.

I bought a ASA5505 and the scheme changes. I can either take one of my IPs and assign it to the OUTSIDE interface of the firewall and NAT inside the firewall or

NAT inside the router as well as inside the firewall...

Which is the recommended setup, what are the ramifications. Any other options that I am missing?

ASA interfaces:

0 -outside

1 -DMZ

2 -inside

4 -mgmt

Thank you for your help,

chris

6 Replies 6

m.matteson
Level 2
Level 2

You can set up NAT on either one i wouldn't really matter and it would still work. I would suggest configuration NAT on your ASA if you have the public ip addresses to spare on assigning them to the routing interfaces. Just have the router route and it will be a less headache for you later on in the future. hth.

Thanks, that was helpful.

So if my router's e0 IP is 1.1.1.1 then I can make the ASAs OUTSIDE int 1.1.1.2. How will the router know to forward traffic destined for 1.1.1.5 to the ASA Outside interface?

is 1.1.1.5 the ip that you will use for nat?

1.1.1.5 is the webserver (accessible from Internet). I will use 192.168.2.2 as the NATted address.

1.1.1.1 is the entry point to my network

1.1.1.2 is the Outside int on ASA

192.168.2.1 is the DMZ int on ASA (where webserver is hooked up)

I assigned a static(outside,dmz) 192.168.2.2 1.1.1.5 netmask 255.255.255.255 and static(dmz,static) 1.1.1.5 192.168.2.2 netmask 255.255.255.255

I changed the webserver TCP/IP to 192.168.2.2/255.255.255.0/gate 192.168.2.1

but my setup does not work.

you have to add an ACL to the outside interface to permit the traffic to enter the interface and then be NAT'd.

http://www.cisco.com/warp/public/556/5.html

So I tried using ACLs , statics, and PAT to get this to work, none seem to work.

When I try to ping 66.999.999.62 from the router it succeeds.

When I try to ping 66.999.999.58 (web server) from the router it fails.

It's like the router does not know that 66.999.999.58 is behind the 66.999.999.62 ASA OUTSIDE interface...!!!

Do I need to change the router config to make it aware that 66.999.999.62 (web server) is behind the ASA?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: