01-17-2008 10:58 AM - edited 03-11-2019 04:50 AM
I have an ASA5505 connected to one ISP router. The ISP has given me two different subnets instead of just one (nothing to do about it).
Subnet 1: 87.54.x.x/29
Subnet 2: 195.41.x.x/29
I have some static NAT's on the 87.54.x.x addresses and that is working fine. I have tried to create on static NAT on a 195.41.x.x interface. When i connect to the server i get the following error in the log: Deny TCP reverse path check from 87.54.x.x to 195.41.x.x on interface outside.
I have a 0.0.0.0 route on the outside interfacing to the ISP router on the 87.54.x.x network.
The problem is that althoug i have configured ACL's for the traffic for the 195.41.x.x address it does not seem to work proberly, i suspect that the ASA protects the network (and is telling me this with the Deny TCP path check log entry) but i need traffic in to my network.
Do i need to create a route to the 195.41.x.x network or do I need to add the 195.41.x.x IP address as a secondary ip address on the outside interface.
Thanks
\Lars
01-19-2008 08:36 PM
Hi,you have only one default gateway from ISP right? let's say it's 87.54.x.1/29, the other subnet can be ONLY used for your DMZ application, there's no way you have 2 public outside network can be static NATted to your same inside network.
If you have DMZ server, or VPN box you want to put on the DMZ, you can use no-nat to achieve this by the second IP subnet.
You can have 3 vlans for ASA 5505,for example
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 87.54.x.2 255.255.255.248
interface Vlan3
nameif dmz
security-level 50
ip address 195.41.x.1 255.255.255.248
access-list no_nat_dmz permit ip 195.41.x.0 255.255.255.248 any
nat (dmz) 0 access-list no_nat_dmz
At you DMZ server, configure default route point to 195.41.x.1, so you can access dmz box/server by the second ip subnet.
If it's a VPN box, you can put inside interface of VPN box in your 5505 vlan 1 - Inside network.
Don't forget allow related traffic destined to DMZ at ACL outside-access-in.
please rate if it helps,
01-20-2008 11:30 PM
Hi
Thank you for the answer. This explains a lot for me :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide