Router & ASA connected with Private IP for Internet Access

Unanswered Question
Jul 28th, 2008


Internet link is terminated into router with public ip.

Router & firewall connected with private ip.

DMZ is having 2 ip segments that are being accessed from inside & outside zone.

LAN zone:

WAN: 212.x.y.z



Can someone help me with config script of both router & firewall

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
dhananjoy chowdhury Mon, 07/28/2008 - 23:18



On the router suppose you have

S0/0 - 212.x.y.z - Internet

f0/0 - - Inside connecting to ASA outside interface

then configure this way on the router -

int s0/0

ip add 212.x.y.z

ip nat outside

int f0/0

ip add

ip nat outside

access-list 10 permit

access-list 10 permit

access-list 10 permit

ip nat inside source list 10 interface serial 0 overload

-- Also add routes for and on the router, pointing towards ASA outside interface IP.

Now on the ASA, configure the interfaces and then add default route pointing towards the router f0/0 IP (

route outside 0 0

Hope this helps.

acharyr123 Mon, 07/28/2008 - 23:28

I think int f/0--> ip nat this right??

i do have another thought in my mind:

suppose all natting is being taken care by pix, whether only a default route towards isp & static routes pointing inward towards dmz zone will wotk!!!

dhananjoy chowdhury Tue, 07/29/2008 - 01:01

int f/0--> ip nat inside

yes this is correct because you are going to nat all inside subnets behind f0/0.

acharyr123 Mon, 07/28/2008 - 23:32

i also have a query: in that case whether no natting is required into the firewall?

acharyr123 Tue, 07/29/2008 - 01:48

all natting is already been taken care by asa as it is running. router will be installed now so i don't want to change asa configuration.

can this be done!!!

dattx_fis2 Tue, 07/29/2008 - 02:19

NAT for internet access is done on the router. If you want to hide the DMZ ip add, in this case NAT is done on the ASA

acharyr123 Tue, 07/29/2008 - 11:13


I want to have internet link terminated into router & dmz server zone at pix. as pix is already running so don't want to chanhe the config of the same.

Can someone help me with the config!!

Marwan ALshawi Tue, 07/29/2008 - 18:43

ok make PATing over your public ip on the router for all your internall networks


access-list 100 pemirt ip any any

route-map pating permit 10

match ip address 100

ip nat inside source route-map pating inteface (ur outside interface

then on ur inside router interface

ip nat inside

and on the outside interface

ip nat outside

regarding that you have the proper ACLs,NATing and default route on your PIX

also you should have the roight default route configured on your router

good luck

please, Rate if helpful

acharyr123 Tue, 07/29/2008 - 22:03

In PIX i configured the default route towards router inside interface & inside routes towards my lan segment.


global (outside) 1 inetrface outside

global (intf2) 1 ---> intf2: dmz1

global (intf3) 1 ---> intf3: dmz2

nat (inside) 1



access-list 100 pemirt ip any any

route-map pating permit 10

match ip address 100

ip nat inside source route-map pating inteface fe0/1

int fe0/0

ip nat inside

int fe0/1

ip nat outside

ip route fe0/1

please check if it is ok. then i will try & update you.

Marwan ALshawi Tue, 07/29/2008 - 22:20

what i sugesst you to do is remove the above nating

and make static nat on your pix for the whole submet i mean you give exposior to the whole inside and dmz subnet to the router and on the router do the NATING as i told you

do the following on the PIx

static(inside, outside) netmask

the above command does not actually translate inside addresses so that the router can communicat and see the directly

by the way i assumed that the subnet mask is put it is you have it in your network

then do the same for the dmz network

static(intf2,outside) netmask

static(intf2,outside) netmask

again put the subnet mask as you have in your network

and then do the PATING as i told you in the prevous post


access-list 100 pemirt ip any any

route-map pating permit 10

match ip address 100

ip nat inside source route-map pating inteface (ur outside interface) overload

(dont forget the overload)

then on ur inside router interface

ip nat inside

and on the outside interface

ip nat outside

it shoul work

and use your ACLs to control what allwoed from outside to inside or dmz

by the way

you can use the same concept between the inside and the dmz

good luck

please, Rate if helpful

Marwan ALshawi Tue, 07/29/2008 - 23:58

by the way

when you gonna do the configuration i have mentioned on ur PIX

dont forget to remove all the nat config that u have first then do the config i told u about it

about the router

try to put the work overload after the

ip nat inside source route-map pating inteface fe0/1 overload

also what kind of connection with internet u have ?

ADSL or what ?

acharyr123 Wed, 08/06/2008 - 02:43


I tried as per ur config but not working. Pleae find the config & try to help me out in this.



access-list 100 pemirt ip any any


route-map pating permit 10

match ip address 100


ip nat inside source route-map pating

inteface f0/0 overload


interface FastEthernet0/1

ip address

ip nat inside


interface FastEthernet0/0

ip address 116.x.x.x/28

ip nat outside


ip route 116.x.x.y


route outside

route inside

access-list 110 extended permit icmp any any

access-list 110 extended permit ip any any

access-list 110 extended permit tcp any any

access-group 110 in interface inside

static (inside,outside) netmask


Plz suggest

Marwan ALshawi Wed, 08/06/2008 - 02:55

what is the problem with that config

u mean u cant go from the firewall to the outside??

by the way is the network connected directly to ur inside firewall interface?

what is this command????

route inside

please discribe it

i think here we have a leak


acharyr123 Wed, 08/06/2008 - 02:59

With this config, from router i can ping any public ip but from firewall pinging outside ip is not happening. From firewall inside ip & vlan is pinging.


interface GigabitEthernet0/1

nameif inside

security-level 100

ip address

route inside (> inside vlan interface ip )

Marwan ALshawi Wed, 08/06/2008 - 03:13



first u dont need this command

route inside

and if u pinging from inside to the router outside

then the config i have sent u is working!!

and for ur knowledge

in ASA firewall u cant ping an interface from another interface

please, if helpful rate

Marwan ALshawi Wed, 08/06/2008 - 03:35

did u get it work?

dont forget the interface subnet mask should be

als all ur hosts in that inside network

should be in subnet

as we configured the nating with

and let me know

good luck

acharyr123 Wed, 08/06/2008 - 03:39

my inside network is not /8, i have /24,/25 etc. what u suggest in that case!!

acharyr123 Wed, 08/06/2008 - 04:02

Please find the attachment for asa config..router config u alredy have.

There are approx 210 no'f vlans into dist switches (4507R) which bare connected with 6513.

ASA is connected directly with Core switch.

In core vlan 900

ip address :

asa is connected to this vlan.

Marwan ALshawi Wed, 08/06/2008 - 04:33

ok then keep ur config as it is

and do the static nat as i told u befor


enable icmp inspection for ping:

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error


also do the following to let the firewall do ping its self

permit icmp any interface outside echo

permit icmp any interface outside echo-reply

by the way the config u sent me withiut any nating configured?

so sure when u do show xlate will give u 0

and one more question when u done my config have u get ur inside network working normaly i mean cna go out the router and ping ?

check u r network behind the switch if it has the right config and right defuale gateways conffigured

and let me know

it should work just do it care fully and step by step

good luck

acharyr123 Wed, 08/06/2008 - 06:04


My LAN is working fine. I can ping asa inside interface, i am not able to ping asa outside or rouetr laninterface.

Marwan ALshawi Wed, 08/06/2008 - 06:24

do u have route to ur inside network on ur router?

i mean for

u need to have on ur router somthing like:

ip route [asa ouside ip]

also for icmp

have u don on ur asa:

permit icmp any inside echo

permit icmp any outside echo

and i told u cant ping the asa outside interface from inside or dmz

in other words u cant ping any asa interface from other interface

just u need to get the ping to the router

please after u finish all the config post them to me if didnt work

with full config

acharyr123 Wed, 08/06/2008 - 20:43

i will do this & let you know. Bye the way..thank u very much for your help.

acharyr123 Fri, 08/08/2008 - 01:44

It's working..thanx a lot.

but access is happening only from 10.20.x.x/16. i did this into asa:

static(inside, outside) netmask

My asa inside interface ip: /16.

But i have number of vlans in the range /24,/25,/26 etc with 10.145.x.x series in LAN. from such ddresses internet is not happening.

your suggestion on tjis any !!!

Marwan ALshawi Fri, 08/08/2008 - 01:49

do u have the right vlan and default gateways configured

also route

now it is routing problem

first check the default gateway configuration and make sure they can oping the asa

also make sure u have the route configured through the inside interface on the ASA

please, rate the helpful post

and good luck

acharyr123 Thu, 08/21/2008 - 19:41


I tried to do this ut not happening.

From user side i can ping the asa inside interface. In my switch default route o.o.o.o o.o.o.o 10.20.10.X (asa inside ip) is given.

In switch vlan 900 is created & asa inside is assigned an ip from that segment.

Internet access is happen ing from only vlan 900..from other vlan i can't access internet.

plz suggest.

acharyr123 Wed, 08/27/2008 - 00:19


I am sorry to say that internet is not happening from any of the vlan's.

I have connected my pc directly with the asa inside interface having the pc g/w as inside interface still not happening.

plz help



This Discussion