Okay so here is my network setup. I have a 1 ASA5505 setup at a remote location. My internet/voice provider has a router at that location also to route traffic over the MPLS for our location to location traffic, and to route traffic to the internet. Because I have don't have any other layer 3 equipment there I'm using the ASA for routing traffic and for sending traffic to the internet. So basically..
Internal Router IP 192.168.12.253
External Router IP: 18.104.22.168
Other networks: 192.168.4.0/24
So when that station needs to go out the internet it uses the firewall forwards that traffic out of its outside interface.
When it needs to route traffic over the MPLS (say something to 192.168.4.2) it routes it back out of its internal interface to 192.168.12.253..
Well this was working all great and dandy until we added a server and I setup NAT and port forwarding. With that in place it seems as though its trying to NAT internal traffic that is suppose to be routed. So locally everything is fine. Externally its fine, say I want to use FTP thats okay. However anything that the firewall is supposedly routing to 192.168.12.253 its like its getting translated I think and i don't know. For some reason NAT all together is breaking the routing that was working. So basically I'm stuck.. Any ideas on what I'm doing wrong?
access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.252.0 192.168.0.96 255.255.255.224
Are you saying that you have your Internet connection which is attached to the ASA5505 and you also have a separate Router and both the ASA and the Router is connected to the same switched network on the LAN side.
And basically any traffic coming from LAN hosts will first reach ASA then jump back to the LAN to the gateway address of the Router at your site?
What is your ASA5505 license? Is it a Base License or Security Plus? You can confirm this with "show version" command
You said a Provider switch is connected to your LAN switch and your ASA is also connected to your LAN switch through its "inside" interface. You also say that the ASA is connected on its "outside" to the Provider switch?
Where exactly is the router connected? Is it connected to the Provider switch? And is the router the gateway to some other local network? Is this router different from your actual internet gateway router what the ASA uses as next hop?
I am just wondering that it might be a lot easier for the ASA now and in the future if you had the connection to the other remote networks coming through a DMZ interface on the ASA. Then you wouldnt have to route traffic back through the "inside" interface.
Though with your license this might provide to be tricky depending on some things
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :