07-28-2008 10:19 PM - edited 03-06-2019 12:29 AM
Hi,
Internet link is terminated into router with public ip.
Router & firewall connected with private ip.
DMZ is having 2 ip segments that are being accessed from inside & outside zone.
LAN zone: 10.0.0.0
WAN: 212.x.y.z
DMZ1: 172.16.1.0
DMZ2: 172.16.2.0
Can someone help me with config script of both router & firewall
07-28-2008 11:18 PM
On the router suppose you have
S0/0 - 212.x.y.z - Internet
f0/0 - 20.0.0.2/24 - Inside connecting to ASA outside interface
then configure this way on the router -
int s0/0
ip add 212.x.y.z
ip nat outside
int f0/0
ip add 20.0.0.2 255.255.255.0
ip nat outside
access-list 10 permit 172.16.1.0 0.0.0.255
access-list 10 permit 172.16.2.0 0.0.0.255
access-list 10 permit 10.0.0.0 0.0.0.255
ip nat inside source list 10 interface serial 0 overload
-- Also add routes for 172.16.1.0 and 172.16.2.0 on the router, pointing towards ASA outside interface IP.
Now on the ASA, configure the interfaces and then add default route pointing towards the router f0/0 IP (20.0.0.2)
route outside 0 0 20.0.0.2.
Hope this helps.
07-28-2008 11:28 PM
I think int f/0--> ip nat inside..is this right??
i do have another thought in my mind:
suppose all natting is being taken care by pix, whether only a default route towards isp & static routes pointing inward towards dmz zone will wotk!!!
07-29-2008 01:01 AM
int f/0--> ip nat inside
yes this is correct because you are going to nat all inside subnets behind f0/0.
07-28-2008 11:32 PM
i also have a query: in that case whether no natting is required into the firewall?
07-29-2008 12:55 AM
Natting is not reqd on the firewall as it will be taken care of by the router.
07-29-2008 01:48 AM
all natting is already been taken care by asa as it is running. router will be installed now so i don't want to change asa configuration.
can this be done!!!
07-29-2008 02:19 AM
NAT for internet access is done on the router. If you want to hide the DMZ ip add, in this case NAT is done on the ASA
07-29-2008 11:13 AM
07-29-2008 06:43 PM
ok make PATing over your public ip on the router for all your internall networks
like
access-list 100 pemirt ip any any
route-map pating permit 10
match ip address 100
ip nat inside source route-map pating inteface (ur outside interface
then on ur inside router interface
ip nat inside
and on the outside interface
ip nat outside
regarding that you have the proper ACLs,NATing and default route on your PIX
also you should have the roight default route configured on your router
good luck
please, Rate if helpful
07-29-2008 10:03 PM
In PIX i configured the default route towards router inside interface & inside routes towards my lan segment.
Did:
global (outside) 1 inetrface outside
global (intf2) 1 172.16.1.0 ---> intf2: dmz1
global (intf3) 1 172.16.2.0 ---> intf3: dmz2
nat (inside) 1 10.0.0.0
=============================================
Router:
access-list 100 pemirt ip any any
route-map pating permit 10
match ip address 100
ip nat inside source route-map pating inteface fe0/1
int fe0/0
ip nat inside
int fe0/1
ip nat outside
ip route 0.0.0.0 0.0.0.0 fe0/1
please check if it is ok. then i will try & update you.
07-29-2008 10:20 PM
what i sugesst you to do is remove the above nating
and make static nat on your pix for the whole submet i mean you give exposior to the whole inside and dmz subnet to the router and on the router do the NATING as i told you
do the following on the PIx
static(inside, outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
the above command does not actually translate inside addresses so that the router can communicat and see the 10.0.0.0 directly
by the way i assumed that the subnet mask is 255.255.255.0 put it is you have it in your network
then do the same for the dmz network
static(intf2,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static(intf2,outside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0
again put the subnet mask as you have in your network
and then do the PATING as i told you in the prevous post
ROUTER:
access-list 100 pemirt ip any any
route-map pating permit 10
match ip address 100
ip nat inside source route-map pating inteface (ur outside interface) overload
(dont forget the overload)
then on ur inside router interface
ip nat inside
and on the outside interface
ip nat outside
it shoul work
and use your ACLs to control what allwoed from outside to inside or dmz
by the way
you can use the same concept between the inside and the dmz
good luck
please, Rate if helpful
07-29-2008 11:58 PM
by the way
when you gonna do the configuration i have mentioned on ur PIX
dont forget to remove all the nat config that u have first then do the config i told u about it
about the router
try to put the work overload after the
ip nat inside source route-map pating inteface fe0/1 overload
also what kind of connection with internet u have ?
ADSL or what ?
08-06-2008 02:43 AM
Hi,
I tried as per ur config but not working. Pleae find the config & try to help me out in this.
=============================================
!
access-list 100 pemirt ip any any
!
route-map pating permit 10
match ip address 100
!
ip nat inside source route-map pating
inteface f0/0 overload
!
interface FastEthernet0/1
ip address 192.168.10.2 255.255.255.252
ip nat inside
!
interface FastEthernet0/0
ip address 116.x.x.x/28
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 116.x.x.y
=============================================
route outside 0.0.0.0 0.0.0.0 192.168.10.2
route inside 10.0.0.0 255.0.0.0 10.20.10.6
access-list 110 extended permit icmp any any
access-list 110 extended permit ip any any
access-list 110 extended permit tcp any any
access-group 110 in interface inside
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
=============================================
Plz suggest
08-06-2008 02:55 AM
what is the problem with that config
u mean u cant go from the firewall to the outside??
by the way is the network 10.0.0.0 connected directly to ur inside firewall interface?
what is this command????
route inside 10.0.0.0 255.0.0.0 10.20.10.6
please discribe it
i think here we have a leak
ok
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: