Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5505 and Nat

Okay so here is my network setup. I have a 1 ASA5505 setup at a remote location. My internet/voice provider has a router at that location also to route traffic over the MPLS for our location to location traffic, and to route traffic to the internet. Because I have don't have any other layer 3 equipment there I'm using the ASA for routing traffic and for sending traffic to the internet. So basically..

ASA5505 192.168.12.254

Internal Router IP 192.168.12.253

External Router IP: 24.120.122.144

Other networks: 192.168.4.0/24

So when that station needs to go out the internet it uses the firewall forwards that traffic out of its outside interface.

When it needs to route traffic over the MPLS (say something to 192.168.4.2) it routes it back out of its internal interface to 192.168.12.253..

Well this was working all great and dandy until we added a server and I setup NAT and port forwarding. With that in place it seems as though its trying to NAT internal traffic that is suppose to be routed. So locally everything is fine. Externally its fine, say I want to use FTP thats okay. However anything that the firewall is supposedly routing to 192.168.12.253 its like its getting translated I think and i don't know. For some reason NAT all together is breaking the routing that was working. So basically I'm stuck.. Any ideas on what I'm doing wrong?


access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.252.0 192.168.0.96 255.255.255.224 

nat (inside) 0 access-list inside_nat0_outbound nat (inside) 3 192.168.12.0 255.255.255.0 nat (inside) 2 192.168.13.0 255.255.255.0 nat (inside) 2 192.168.14.0 255.255.255.0 static (inside,outside) x.x.x.x 192.168.12.203 netmask 255.255.255.255  static (inside,inside) 192.168.12.0 192.168.12.0 netmask 255.255.252.0 norandomseq nailed  static (inside,outside) x.x.x.x 192.168.12.112 netmask 255.255.255.255  access-group inside_access_in in interface inside access-group outside_access_in in interface outside route inside 192.168.4.0 255.255.252.0 192.168.12.253 1 route inside 192.168.8.0 255.255.252.0 192.168.12.253 1 route inside 192.168.16.0 255.255.252.0 192.168.12.253 1 route inside 192.168.20.0 255.255.252.0 192.168.12.253 1 route inside 192.168.28.0 255.255.252.0 192.168.12.253 1 route inside 192.168.0.0 255.255.255.224 192.168.12.253 1

3 REPLIES
Super Bronze

ASA5505 and Nat

Hi,

Are you saying that you have your Internet connection which is attached to the ASA5505 and you also have a separate Router and both the ASA and the Router is connected to the same switched network on the LAN side.

And basically any traffic coming from LAN hosts will first reach ASA then jump back to the LAN to the gateway address of the Router at your site?

What is your ASA5505 license? Is it a Base License or Security Plus? You can confirm this with "show version" command

- Jouni

New Member

Re: ASA5505 and Nat

I hope I answer your question correctly, so here we go..

My provider gave me a router and a switch.. On their switch I have two ports, inside (gig0/1) and outside gig(0/2) pretty much.

So I connect their gig0/1 into my layer two switch, and then connect my inside interface into the same switch.. Then I connect my outside interface to their gig0/2.

Does that answer the question??

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs                       : 3, DMZ Restricted

Inside Hosts                : Unlimited

Failover                    : Disabled

VPN-DES                     : Enabled

VPN-3DES-AES                : Enabled

VPN Peers                   : 10

WebVPN Peers                : 2

Dual ISPs                   : Disabled

VLAN Trunk Ports            : 0

This platform has a Base license.

Super Bronze

ASA5505 and Nat

Hi,

Where does the router come in?

You said a Provider switch is connected to your LAN switch and your ASA is also connected to your LAN switch through its "inside" interface. You also say that the ASA is connected on its "outside" to the Provider switch?

Where exactly is the router connected? Is it connected to the Provider switch? And is the router the gateway to some other local network? Is this router different from your actual internet gateway router what the ASA uses as next hop?

I am just wondering that it might be a lot easier for the ASA now and in the future if you had the connection to the other remote networks coming through a DMZ interface on the ASA. Then you wouldnt have to route traffic back through the "inside" interface.

Though with your license this might provide to be tricky depending on some things

- Jouni

120
Views
0
Helpful
3
Replies
CreatePlease to create content