×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA5520 Dual-Tier NAT

Unanswered Question
Jul 6th, 2012
User Badges:

Hey all:


I am having some issues getting internet traffic to pass to inside hosts on Two Cisco ASA 5520s running 8.4 ASA IOS.


The set up is a 2-tiered FW.


Inside Hosts -- ASA5520 -- DMZ Hosts -- ASA5520 -- Internet Provider


Inside FW Network: 10.10.10.0/24

Perimeter FW Network: 10.10.0.0/24

NAT Network: 172.16.10.0/24

Real IP Network: 192.168.1.0/24


Inside Host: 10.10.10.10

Inside FW: 10.10.10.1/24

Inside NAT: nat (inside,outside) source static 10.10.10.10 172.16.10.10 unidirectional


Interface GigabitEthernet 0/0

nameif outside

ip address 10.10.5.2 255.255.255.252


Interface GigabitEthernet 0/1

nameif inside

ip address 10.10.10.1 255.255.255.0


Outside FW: 10.10.0.1/24

Outside NAT: nat (inside,outside) source static 172.16.10.10 192.168.1.225 unidirectional


Interface GigabitEthernet 0/0

nameif outside

ip address 192.168.1.2 255.255.255.0


Interface GigabitEthernet 0/1

nameif inside

ip address 10.10.5.1 255.255.255.252


Interface GigabitEthernet 0/2

nameif dmz

ip address 10.10.0.1 255.255.255.0


Interfaces are connected through 10.10.5.0/30 network


Inside FW route:

route outside 0.0.0.0 0.0.0.0 10.10.5.1


Outside FW routes:

route outside 0.0.0.0 0.0.0.0 192.168.1.1

route inside 10.10.10.0 255.255.255.0 10.10.5.2


I can see the traffic passing, but I am just getting SYN Timeouts and a few TCP reset-I and TCP reset-O messages in the logs.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Fri, 07/06/2012 - 02:30
User Badges:
  • Cisco Employee,

You would need to configure route for the 172.16.10.10 NATed address on the Outside FW because you are NATing it to that ip address, it doesn't know and doesn't need to route to the real subnet (10.10.10.0/24), hence you don't need the following route:


route inside 10.10.10.0 255.255.255.0 10.10.5.2


What you need is:

route inside 172.16.10.10 255.255.255.255 10.10.5.2

Gourav Bathla Fri, 07/06/2012 - 04:55
User Badges:

Another option you can go for


1) On Inside Firewall


object network server

host 10.10.10.10


access-list OUTSIDEIN extended permit ip any object server

access-group OUTSIDEIN in interface outside


2) On outside firewall


object network server
host 10.10.10.10

nat (inside,outside) static 192.168.1.225


access-list OUTSIDEIN extended permit ip any object server

access-group OUTSIDEIN in interface outside

Actions

This Discussion