Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Is a reverse route needed?

User is going to place a "three leg" 5505 ASA on site's existing LAN.

Two PCs, one in each firewall's DMZ and PCN network will use a NAT'ed IP address that is on site's LAN.

Question is: will the site's core layer-3 device require a "reverse" route pointing both PCs, 10.10.10.10 and 10.10.10.6 back to 5505 ASA?

thank you,

Kevin

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Is a reverse route needed?

Ah ok,

So we are only talking about CORE to DMZ connectivity?

Well, if the CORE has an interface with the 10.10.10.0/27 subnet and that interface (probably talking about a Vlan interface here) is connected to the ASA which has the NAT IP addresses and interface IP address from the same subnet 10.10.10.0/27 then the L3 switch will naturally see the network as directly connected. And since its directly connected network it will use ARP to determine the MAC address on the ASA to which send traffic destined to the NAT IP address of the DMZ server.

So the L3 switch will determine the route with its connected network/route and determine the destination MAC address with ARP.

- Jouni

5 REPLIES
New Member

Is a reverse route needed?

Super Bronze

Re: Is a reverse route needed?

Hi,

I imagine you are attempting to have the DMZ and and PCN hosts to connect to eachother using their NAT IP address from 10.10.10.0/27 network?

I don't think this is possible unless you actually do the NAT between these DMZ and PCN interfaces also.

If you only configure the Static NAT from DMZ and PCN to the CORE, the ASA wont let you connect to those NAT IP address from behind PCN or DMZ, only from CORE.

So to my understanding PCN to DMZ needs a Static NAT configuration also.

- Jouni

New Member

Is a reverse route needed?

hi Jouni,

I have the NAT policies between DMZ and PCN hosts configured and tested.  It's the remote user outside of the site who is attempting to reach the one DMZ host's 192.168.101.2, NAT'ed to 10.10.10.6, IP address that I am concern about.

Because the 5505 isn't separating site's WAN connectivty, but is "hanging" off site's internal LAN, with its DMZ PC host that needs to be accessed from remote users - how does the site's core layer-3 device know to route to 5505's 10.10.10.6 host?

thanks, kevin 

Super Bronze

Re: Is a reverse route needed?

Ah ok,

So we are only talking about CORE to DMZ connectivity?

Well, if the CORE has an interface with the 10.10.10.0/27 subnet and that interface (probably talking about a Vlan interface here) is connected to the ASA which has the NAT IP addresses and interface IP address from the same subnet 10.10.10.0/27 then the L3 switch will naturally see the network as directly connected. And since its directly connected network it will use ARP to determine the MAC address on the ASA to which send traffic destined to the NAT IP address of the DMZ server.

So the L3 switch will determine the route with its connected network/route and determine the destination MAC address with ARP.

- Jouni

New Member

Is a reverse route needed?

Jouni,

Good deal, thanks for the quick replies.

Kevin

180
Views
0
Helpful
5
Replies