cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1152
Views
0
Helpful
7
Replies

When no nat, how come it does not route?

3moloz123
Level 1
Level 1

Hi,

Trying to get my asa 5505 to route between outside, dmz and inside without using NAT as all networks are internal. With NAT it works perfectly, but
when removing the nat rule of inside then the inside network cant reach internet (nor the /24 on the outside interface)

utside: dhcp (on 10.10.10.0/24)
Dmz: 10.90.90.1/24
Inside: 192.168.0.0/24

When: no nat (inside) 1 0.0.0.0 0.0.0.0, then all tries of connection outbound times out. All I see in the asdm log is:
6|Sep 07 2010|11:22:46|302013|100.112.31.20|192.168.0.2|Built outbound TCP connection 527 for outside:100.112.31.20/80 (100.112.31.20/80) to inside:192.168.0.2/2710 (192.168.0.2/2710)
3|Sep 07 2010|11:22:46|106100|192.168.0.2|100.112.31.20|access-list outside_access_out permitted tcp inside/192.168.0.2(2710) -> outside/100.112.31.20(80) hit-cnt 1 first hit [0x3bdfb084, 0x0]
6|Sep 07 2010|11:22:42|302014|100.112.31.20|192.168.0.2|Teardown TCP connection 524 for outside:100.112.31.20/80 to inside:192.168.0.2/2709 duration 0:00:30 bytes 0 SYN Timeout

1 Accepted Solution

Accepted Solutions

Yes, if the other firewall is performing the NAT, then you would need to make sure that you have routes for each of the internal networks pointing back towards the internal ASA outside interface ip address. Otherwise, the external ASA would not know how to route back towards the internal subnets. The reason why it works when you NAT the traffic to the internal ASA outside interface IP is because the internal ASA outside interface would be in the same subnet as the external ASA inside interface, hence, no routing is required.

Hope that makes sense.

View solution in original post

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to configure NAT exemption for traffic between inside interface and DMZ and outside that you do not want to perform the NAT.

From the current configuration, your inside network can access DMZ and the VPN IP Pool without being NATed, and to access the outside subnet that has private ip range, you would need to add the following ACL:

access-list inside_nat0_outbound extended permit ip any

Removing " nat (inside) 1 0.0.0.0 0.0.0.0" will stop traffic towards the Internet as traffic needs to be NATed/PATed when going to the Internet for it to be routable.

Hope that helps.

3moloz123
Level 1
Level 1

Hi,

The reason for not NATing traffic to internet is because in front of the ASA, another firewall lies. That other firewall does NAT, and hence I will need no NAT what so ever - just routes. Is not this right?

(that other firewall is the default gw of the ASA too)

Yes, if the other firewall is performing the NAT, then you would need to make sure that you have routes for each of the internal networks pointing back towards the internal ASA outside interface ip address. Otherwise, the external ASA would not know how to route back towards the internal subnets. The reason why it works when you NAT the traffic to the internal ASA outside interface IP is because the internal ASA outside interface would be in the same subnet as the external ASA inside interface, hence, no routing is required.

Hope that makes sense.

If I understand you correctly, the ASA has no problem of routing between the LAN-hosts and those host on internet and on the 10.10.10.0/24 network.

Rather the problem lies in the answer, ie the other forewall nor the hosts in 10.10.10.0/24 does not know how to answer back to the internal ips of the ASAs LAN.

If I understood you correctly, all I need is a static route on the primary (non ASA) firewall. Sorry for the linux syntax, but something like:

for every of the ASAs internal networks, do:

route add -net $internal_nets_of_asa here via $outside_address_of_asa

Yes, you are absolutely correct.

I'm really sorry but somehow I screwed up the nat config. I am comparing to the old I had posted earlier, and now it does not work.

The reason I need it is because if we'd like to change setup.

Can you spot anything obvious?

Yes, this line should not be in the config:

nat (outside) 1 10.80.80.0 255.255.255.0

Please remove it, and "clear xlate".

And also, the access-list inside_nat0_outbound has not included the external private subnet yet.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: