Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4808
Views
0
Helpful
6
Replies

ASA 5505 Connected To Linksys Router

Go to solution
dchristm09
Level 1
Level 1

‎11-11-2011 05:56 AM - edited ‎03-11-2019 02:49 PM

Hello, I have a cable modem internet connection and my cable modem is connected to an ASA 5505.  The inside interface of the ASA has an IP address of 192.168.2.2 and is connected to a Linksys router's internet port which has an IP address of 192.168.2.1.  The Linksys router then has a local area network of 192.168.1.0 and all my clients are on that network.  Everything is working fine except in my ASA logs all the traffic shows up as the router's external address which is 192.168.2.1.  I would like to see the 192.168.1.x address of the clients in the ASA firewall.  I've tried making some changes to the Linksys router but that hasn't resolved it.  Is there any changes I can make on the ASA to get this to work?   Below is some of the config:

ASA Version 8.2(5)

!

hostname djchristasa

enable password k7X9tTHKoCUET/3Z encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

ASA Version 8.2(5)

!

hostname djchristasa

enable password k7X9tTHKoCUET/3Z encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

I didn't post ACL's and some other things.  Please let me know if you need more.

Thanks,

Dave

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to dchristm09

‎11-13-2011 06:54 PM

Dave

The Linksys doing NAT is the reason why the ASA sees all the traffic as having source address as 192.168.2.1. The only way for the ASA to see the original 192.168.1.x address is to change the Linksys to not do NAT.

One thing that I notice is that there is not a route statement in what you posted for the 192.168.1.0 network. It is not clear whether the route does exist and you did not post it or whether the route does not exist. But if it does not exist it would certainly be a reason why you lose Internet connectivity when you change the Linksys to not perform NAT. (the ASA would have no knowledge of how to forward to the network and would drop all the traffic). Try adding the route to the ASA and changing the Linksys to not perform NAT and let us know if it works.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
6 Replies 6

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎11-11-2011 06:20 AM

Hi,

if your Linksys is doing NAT that is normal. Is there a way to disble NAT on such routers, I don't know but you should ask in the small business section and maybe they will tell you how to do it if it's possible.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
dchristm09
Level 1
Level 1
In response to cadet alain

‎11-11-2011 06:33 AM

The Linksys is doing NAT.  When I disable the NAT on the Linksys router I lose my internet connection.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to dchristm09

‎11-13-2011 06:54 PM

Dave

The Linksys doing NAT is the reason why the ASA sees all the traffic as having source address as 192.168.2.1. The only way for the ASA to see the original 192.168.1.x address is to change the Linksys to not do NAT.

One thing that I notice is that there is not a route statement in what you posted for the 192.168.1.0 network. It is not clear whether the route does exist and you did not post it or whether the route does not exist. But if it does not exist it would certainly be a reason why you lose Internet connectivity when you change the Linksys to not perform NAT. (the ASA would have no knowledge of how to forward to the network and would drop all the traffic). Try adding the route to the ASA and changing the Linksys to not perform NAT and let us know if it works.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
vipinrajrc
Level 3
Level 3
In response to Richard Burts

‎11-13-2011 07:52 PM

Hi Dave,

In linksys router there is a option where we can select the router mode. By default gateway is the mode. make it as router. and configure default route to ASA's inside IP address. Also put a route in ASA to route to LAN network. you can configure as below.

route inside 192.168.1.0 255.255.255.0 192.168.2.1

I hope this will work.

Thanks

Vipin

Thanks and Regards, Vipin
0 Helpful

Go to solution
dchristm09
Level 1
Level 1
In response to Richard Burts

‎11-14-2011 03:55 AM

I had my route in ASA going to 192.168.1.1 instead of 2.1.  I then turned off NAT on router and everything works correctly.  Thanks for help.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to dchristm09

‎11-15-2011 05:36 AM

Dave

Thanks for posting back to the forum to indicate that you have solved the problem. I am glad that my suggestion pointed you toward the solution. Thank you for using the rating system to indicate that the question was answered (and thanks for the points). It makes the forum more useful when people can read about an issue and can know that a solution will be in the thread. Your marking has contributed to this process.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card