NAT Rule

Unanswered Question
Apr 20th, 2009
User Badges:


We're trying to deploy a new ASA5505 and Cisco2811 that's behind the FW. The inside of the FW is connected to the router (assigned with a public IP of /30). The LAN range is behind the router, and is to be NAT'd on the outside interface of the FW. Is this logically possible? When I try to do a packet trace from the ASA ASDM, LAN is not able to reach the internet.

Also, from ASDM, what is the difference between the packet trace button from Access rule and the packet trace from NAT rule window? Coz when I added a specific dynamic NAT rule for the LAN range to the outside IP address of the FW (besides from the default dynamic NAT assigned to outside), the packet trace going to the internet is okay. But when I try the packet trace from the access rule window (allowing ip from LAN range to any on inside_access_in), I'm getting a NAT lookup error.

Any thoughts?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)


Why would you honestly want to have a public IP address between the firewall inside and the router, then NAT on the firewall outside.

You topology is incorrect - The Firewall inside and the router should be configured on a privtae IP subnet. Have the firewall outside directly connected to the internet - have NAT performed on the firewall.


AxiomConsulting Tue, 04/21/2009 - 01:00
User Badges:


With regards to your first question, I believe this is possible in 2 ways.

1. If your ASA is running in transparent mode, this would mean that NAT would have to be done on your router.

2. If your ASA is running in routed mode you would either have to have another public IP range to assign to the outside of the ASA, or re-IP the inside of the ASA / outside of the router with another private IP range.

As for your ASDM question, I'm not to sure! I'm more a CLI person!



patricia20 Tue, 04/21/2009 - 12:56
User Badges:

Hi Steve,

Thanks for your reply. The ASA is configured in routed mode. It has a different public IP assigned to the outside interface. With this, are there additional configurations that I need to note in order to allow the LAN (from behind the router) to be able to access the internet?

Thanks! :)

AxiomConsulting Wed, 04/22/2009 - 08:04
User Badges:


Ensure that the router is not doing any NAT, ensure ACLs on the Firewall represent the LAN ip address range, also ensure that the traffic is getting NATed on the firewall itself (maybe for testing configure a static NAT).

Obviously check routing on the router.

If its easier, post your config



patricia20 Sun, 04/26/2009 - 19:46
User Badges:

Hi Steve,

Thanks for these notes. We have completed the migration and it worked! :)




This Discussion