I’m trying to figure out the best way to connect two ASA 5510’s together and have run into a bit of a snag. I have two ASA 5510's, one has a CSC-SSM and will act as a Firewall, Antivirus and VPN (I'll call it the CSCASA) and the other has an AIP-SSM and will be solely used for IPS (I'll call it the IPSASA).
I had the CSCASA setup and working fine using PAT and tcp bypass (so I can get to my networks behind the MPLS) but now I want to put the IPSASA between my LAN and the CSCASA. I know that I will have to move the tcp bypass settings and static routes over to the IPSASA.
The CSCASA Ethernet 0/0 will connect to my ISP, Ethernet 0/1 will connect to Ethernet 0/0 on the IPSASA. Ethernet 0/1 on the IPSASA will connect to my LAN switch. I would like to have all inbound traffic flowing through the IPSASA scanned by the IPS and outbound traffic not scanned.
We are using several different networks (all 192.168.xxx.0). Some of these networks are remote offices that connect to our corporate network (192.168.120.0) through an MPLS network. All Internet traffic will go through the 192.168.120.0 network and out the IPSASA and CSCASA. I thought I would be able to assign CSCASA Ethernet 0/1 a 192.168.120.x address and IPSASA Ethernet 0/0 a 192.168.120.x address but I was not able to do this. Cisco recommended I use a different address to connect these two interfaces so I am using 192.168.230.1 and 192.168.230.2 for the respective interfaces.
What is the proper way to handle NAT in a situation like this with two ASA's? I can't see the point in having two devices performing NAT on traffic. I tried using "nat (inside) 0 192.168.0.0 255.255.0.0 0 0" on the IPSASA but it doesn't seem to work.
Please let me know if I am way off base here. Thanks for your help.
I see where the problem lies. Dont know how i missed it all this while. Anyway, add the below commands and see if it fixes the issue:
static (LAN,FW) 192.168.100.8 192.168.100.8
static (LAN,FW) 192.168.100.10 192.168.100.10
static (LAN,FW) 192.168.100.38 192.168.100.38
static (LAN,FW) 192.168.100.112 192.168.100.112
I am assuming these are the only 4 servers. If there are more, you will need to add the same commands for them as well. Also, in future, as you add newer servers, you will need to add the same command for them as well.
You can avoid this by just simply removing the command "nat-control" and hence you can remove the command "nat (LAN) 0 192.168.0.0 255.255.0.0" as well.
You can try out either of the above options. Let me know how it goes!!