09-07-2010 04:40 AM - edited 03-11-2019 11:36 AM
Hi,
Trying to get my asa 5505 to route between outside, dmz and inside without using NAT as all networks are internal. With NAT it works perfectly, but
when removing the nat rule of inside then the inside network cant reach internet (nor the /24 on the outside interface)
utside: dhcp (on 10.10.10.0/24)
Dmz: 10.90.90.1/24
Inside: 192.168.0.0/24
When: no nat (inside) 1 0.0.0.0 0.0.0.0, then all tries of connection outbound times out. All I see in the asdm log is:
6|Sep 07 2010|11:22:46|302013|100.112.31.20|192.168.0.2|Built outbound TCP connection 527 for outside:100.112.31.20/80 (100.112.31.20/80) to inside:192.168.0.2/2710 (192.168.0.2/2710)
3|Sep 07 2010|11:22:46|106100|192.168.0.2|100.112.31.20|access-list outside_access_out permitted tcp inside/192.168.0.2(2710) -> outside/100.112.31.20(80) hit-cnt 1 first hit [0x3bdfb084, 0x0]
6|Sep 07 2010|11:22:42|302014|100.112.31.20|192.168.0.2|Teardown TCP connection 524 for outside:100.112.31.20/80 to inside:192.168.0.2/2709 duration 0:00:30 bytes 0 SYN Timeout
Solved! Go to Solution.
09-07-2010 04:51 AM
Yes, if the other firewall is performing the NAT, then you would need to make sure that you have routes for each of the internal networks pointing back towards the internal ASA outside interface ip address. Otherwise, the external ASA would not know how to route back towards the internal subnets. The reason why it works when you NAT the traffic to the internal ASA outside interface IP is because the internal ASA outside interface would be in the same subnet as the external ASA inside interface, hence, no routing is required.
Hope that makes sense.
09-07-2010 04:45 AM
You would need to configure NAT exemption for traffic between inside interface and DMZ and outside that you do not want to perform the NAT.
From the current configuration, your inside network can access DMZ and the VPN IP Pool without being NATed, and to access the outside subnet that has private ip range, you would need to add the following ACL:
access-list inside_nat0_outbound extended permit ip any
Removing " nat (inside) 1 0.0.0.0 0.0.0.0" will stop traffic towards the Internet as traffic needs to be NATed/PATed when going to the Internet for it to be routable.
Hope that helps.
09-07-2010 04:48 AM
Hi,
The reason for not NATing traffic to internet is because in front of the ASA, another firewall lies. That other firewall does NAT, and hence I will need no NAT what so ever - just routes. Is not this right?
(that other firewall is the default gw of the ASA too)
09-07-2010 04:51 AM
Yes, if the other firewall is performing the NAT, then you would need to make sure that you have routes for each of the internal networks pointing back towards the internal ASA outside interface ip address. Otherwise, the external ASA would not know how to route back towards the internal subnets. The reason why it works when you NAT the traffic to the internal ASA outside interface IP is because the internal ASA outside interface would be in the same subnet as the external ASA inside interface, hence, no routing is required.
Hope that makes sense.
09-07-2010 05:01 AM
If I understand you correctly, the ASA has no problem of routing between the LAN-hosts and those host on internet and on the 10.10.10.0/24 network.
Rather the problem lies in the answer, ie the other forewall nor the hosts in 10.10.10.0/24 does not know how to answer back to the internal ips of the ASAs LAN.
If I understood you correctly, all I need is a static route on the primary (non ASA) firewall. Sorry for the linux syntax, but something like:
for every of the ASAs internal networks, do:
route add -net $internal_nets_of_asa here via $outside_address_of_asa
09-07-2010 05:19 AM
Yes, you are absolutely correct.
09-07-2010 07:41 AM
09-08-2010 06:16 PM
Yes, this line should not be in the config:
nat (outside) 1 10.80.80.0 255.255.255.0
Please remove it, and "clear xlate".
And also, the access-list inside_nat0_outbound has not included the external private subnet yet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide