When no nat, how come it does not route?

Answered Question
Sep 7th, 2010

Hi,

Trying to get my asa 5505 to route between outside, dmz and inside without using NAT as all networks are internal. With NAT it works perfectly, but
when removing the nat rule of inside then the inside network cant reach internet (nor the /24 on the outside interface)

utside: dhcp (on 10.10.10.0/24)
Dmz: 10.90.90.1/24
Inside: 192.168.0.0/24

When: no nat (inside) 1 0.0.0.0 0.0.0.0, then all tries of connection outbound times out. All I see in the asdm log is:
6|Sep 07 2010|11:22:46|302013|100.112.31.20|192.168.0.2|Built outbound TCP connection 527 for outside:100.112.31.20/80 (100.112.31.20/80) to inside:192.168.0.2/2710 (192.168.0.2/2710)
3|Sep 07 2010|11:22:46|106100|192.168.0.2|100.112.31.20|access-list outside_access_out permitted tcp inside/192.168.0.2(2710) -> outside/100.112.31.20(80) hit-cnt 1 first hit [0x3bdfb084, 0x0]
6|Sep 07 2010|11:22:42|302014|100.112.31.20|192.168.0.2|Teardown TCP connection 524 for outside:100.112.31.20/80 to inside:192.168.0.2/2709 duration 0:00:30 bytes 0 SYN Timeout

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 4 months ago

Yes, if the other firewall is performing the NAT, then you would need to make sure that you have routes for each of the internal networks pointing back towards the internal ASA outside interface ip address. Otherwise, the external ASA would not know how to route back towards the internal subnets. The reason why it works when you NAT the traffic to the internal ASA outside interface IP is because the internal ASA outside interface would be in the same subnet as the external ASA inside interface, hence, no routing is required.

Hope that makes sense.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Tue, 09/07/2010 - 04:45

You would need to configure NAT exemption for traffic between inside interface and DMZ and outside that you do not want to perform the NAT.

From the current configuration, your inside network can access DMZ and the VPN IP Pool without being NATed, and to access the outside subnet that has private ip range, you would need to add the following ACL:

access-list inside_nat0_outbound extended permit ip any

Removing " nat (inside) 1 0.0.0.0 0.0.0.0" will stop traffic towards the Internet as traffic needs to be NATed/PATed when going to the Internet for it to be routable.

Hope that helps.

3moloz123 Tue, 09/07/2010 - 04:48

Hi,

The reason for not NATing traffic to internet is because in front of the ASA, another firewall lies. That other firewall does NAT, and hence I will need no NAT what so ever - just routes. Is not this right?

(that other firewall is the default gw of the ASA too)

Correct Answer
Jennifer Halim Tue, 09/07/2010 - 04:51

Yes, if the other firewall is performing the NAT, then you would need to make sure that you have routes for each of the internal networks pointing back towards the internal ASA outside interface ip address. Otherwise, the external ASA would not know how to route back towards the internal subnets. The reason why it works when you NAT the traffic to the internal ASA outside interface IP is because the internal ASA outside interface would be in the same subnet as the external ASA inside interface, hence, no routing is required.

Hope that makes sense.

3moloz123 Tue, 09/07/2010 - 05:01

If I understand you correctly, the ASA has no problem of routing between the LAN-hosts and those host on internet and on the 10.10.10.0/24 network.

Rather the problem lies in the answer, ie the other forewall nor the hosts in 10.10.10.0/24 does not know how to answer back to the internal ips of the ASAs LAN.

If I understood you correctly, all I need is a static route on the primary (non ASA) firewall. Sorry for the linux syntax, but something like:

for every of the ASAs internal networks, do:

route add -net $internal_nets_of_asa here via $outside_address_of_asa

3moloz123 Tue, 09/07/2010 - 07:41

I'm really sorry but somehow I screwed up the nat config. I am comparing to the old I had posted earlier, and now it does not work.

The reason I need it is because if we'd like to change setup.

Can you spot anything obvious?

Jennifer Halim Wed, 09/08/2010 - 18:16

Yes, this line should not be in the config:

nat (outside) 1 10.80.80.0 255.255.255.0

Please remove it, and "clear xlate".

And also, the access-list inside_nat0_outbound has not included the external private subnet yet.

Actions

This Discussion