Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
329
Views
0
Helpful
3
Replies

ASA5505 and Nat

mikewillis
Level 1
Level 1

‎10-15-2013 02:39 PM - edited ‎03-11-2019 07:52 PM

Okay so here is my network setup. I have a 1 ASA5505 setup at a remote location. My internet/voice provider has a router at that location also to route traffic over the MPLS for our location to location traffic, and to route traffic to the internet. Because I have don't have any other layer 3 equipment there I'm using the ASA for routing traffic and for sending traffic to the internet. So basically..

ASA5505 192.168.12.254

Internal Router IP 192.168.12.253

External Router IP: 24.120.122.144

Other networks: 192.168.4.0/24

So when that station needs to go out the internet it uses the firewall forwards that traffic out of its outside interface.

When it needs to route traffic over the MPLS (say something to 192.168.4.2) it routes it back out of its internal interface to 192.168.12.253..

Well this was working all great and dandy until we added a server and I setup NAT and port forwarding. With that in place it seems as though its trying to NAT internal traffic that is suppose to be routed. So locally everything is fine. Externally its fine, say I want to use FTP thats okay. However anything that the firewall is supposedly routing to 192.168.12.253 its like its getting translated I think and i don't know. For some reason NAT all together is breaking the routing that was working. So basically I'm stuck.. Any ideas on what I'm doing wrong?


access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.252.0 192.168.0.96 255.255.255.224 



 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 3 192.168.12.0 255.255.255.0 nat (inside) 2 192.168.13.0 255.255.255.0 nat (inside) 2 192.168.14.0 255.255.255.0 static (inside,outside) x.x.x.x 192.168.12.203 netmask 255.255.255.255  static (inside,inside) 192.168.12.0 192.168.12.0 netmask 255.255.252.0 norandomseq nailed  static (inside,outside) x.x.x.x 192.168.12.112 netmask 255.255.255.255  access-group inside_access_in in interface inside access-group outside_access_in in interface outside route inside 192.168.4.0 255.255.252.0 192.168.12.253 1 route inside 192.168.8.0 255.255.252.0 192.168.12.253 1 route inside 192.168.16.0 255.255.252.0 192.168.12.253 1 route inside 192.168.20.0 255.255.252.0 192.168.12.253 1 route inside 192.168.28.0 255.255.252.0 192.168.12.253 1 route inside 192.168.0.0 255.255.255.224 192.168.12.253 1
Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎10-15-2013 02:47 PM

Hi,

Are you saying that you have your Internet connection which is attached to the ASA5505 and you also have a separate Router and both the ASA and the Router is connected to the same switched network on the LAN side.

And basically any traffic coming from LAN hosts will first reach ASA then jump back to the LAN to the gateway address of the Router at your site?

What is your ASA5505 license? Is it a Base License or Security Plus? You can confirm this with "show version" command

- Jouni

0 Helpful

mikewillis
Level 1
Level 1
In response to Jouni Forss

‎10-15-2013 02:56 PM

I hope I answer your question correctly, so here we go..

My provider gave me a router and a switch.. On their switch I have two ports, inside (gig0/1) and outside gig(0/2) pretty much.

So I connect their gig0/1 into my layer two switch, and then connect my inside interface into the same switch.. Then I connect my outside interface to their gig0/2.

Does that answer the question??

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                       : 3, DMZ Restricted
Inside Hosts                : Unlimited
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
VPN Peers                   : 10
WebVPN Peers                : 2
Dual ISPs                   : Disabled
VLAN Trunk Ports            : 0
This platform has a Base license.
0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to mikewillis

‎10-15-2013 03:15 PM

Hi,

Where does the router come in?

You said a Provider switch is connected to your LAN switch and your ASA is also connected to your LAN switch through its "inside" interface. You also say that the ASA is connected on its "outside" to the Provider switch?

Where exactly is the router connected? Is it connected to the Provider switch? And is the router the gateway to some other local network? Is this router different from your actual internet gateway router what the ASA uses as next hop?

I am just wondering that it might be a lot easier for the ASA now and in the future if you had the connection to the other remote networks coming through a DMZ interface on the ASA. Then you wouldnt have to route traffic back through the "inside" interface.

Though with your license this might provide to be tricky depending on some things

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card