Solved: How to configure router in front of firewall

Woo Choi · ‎11-21-2013

We are putting a Cisco 2611 in front of ASA 5510 to accept a DS3 circuit. After circuit activation, 2611 can get out to Internet, but both internal user and ASA cannot access Internet.

The design is as following

Internal user <-> ASA e0/1

ASA e0/0 <-> 2611 gi0/0

2611 s1/0 <-> Internet.

Internal user - ASA - 2611 - Internet

I'm not sure if I require additional NAT on 2611. Can someone please provide help on troubleshooting this?

ASA has following config:

int e0/0

desc to 2611

nameif ISP

security-level 0

ip address 10.10.10.2 255.255.255.252

!

int e0/1

desc to internal

nameif internal

security-level 50

ip address 192.168.1.0 255.255.255.0

!

global (ISP) 1 interface

nat (internal) 1 192.168.1.0 255.255.255.0

route ISP 0.0.0.0 0.0.0.0 10.10.10.1

!

2611 has following config:

int gi0/0

desc to ASA

ip address 10.10.10.1 255.255.255.252

!

int s1/0

desc to Internet

ip address x.x.x.x x.x.x.x

!

Thank you,

John Blakley · ‎11-21-2013

You won't need the static route to 192.168.1.0 on the router if you're natting from the ASA as 10.10.10.2 for all of your outbound traffic. Do you have static nats on the ASA for other services like web server, ftp, etc?

The other thing that I noticed was your nat line on the router looks incorrect:

ip nat inside source static 10.10.10.1 2.2.2.1 //2.2.2.1 being ISP

You're going to have to nat the 10.10.10.2 if you're only wanting to support that, which is the ASA.

I would just set 10.10.10.0/30 as a whole:

access-list 100 permit ip 10.10.10.0 0.0.0.3 any

ip nat inside source list 100 interface s1/0 overload

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎11-21-2013

Do you have a block of addresses? Generally, the provider will give you a block to put on the wan side and your other block that you've paid for will go on the Lan side. The ASA e0/0 will be configured to another public address and you can nat to it.

If not, there are a couple of things you could do. You could nat the complete 10.10.10.0/30 to the internet on the router which means now you're double natting.

Or you could not nat on the ASA and nat only on the router, but I'm not sure how many nat statements you have on the ASA to advise if this would even be a feasible option.

If you're thinking of the first option, it would look like:

192.168.1.0 ---> natted to 10.10.10.2 ---> 2611 nats 10.10.10.0/30 ---> WAN IP

The second option would look like:

192.168.1.0 ---> 10.10.10.2 ---> 2611 nats 192.168.1.0/24 ---> WAN IP

The first one has to nat the 10.x.x.x subnet because the ASA is natting the 192.x.x.x to a 10.10.10.2. The second one only needs to nat the 192.168.1.0/24 at the router because the 10.10.10.0/30 is directly connected. You'd also need a static route on the 2611 pointing 192.168.1.0 to 10.10.10.2.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Woo Choi · ‎11-21-2013

Thank you John,

The ISP only provided a /30 block, and we won't be able to do the second option you suggested. I configured nat on 2611 as following:

int gi 0/0

desc to ASA

ip address 10.10.10.1 255.255.255.252

ip nat inside

!

int s1/0

desc to Internet

ip address 2.2.2.2 255.255.255.252

ip nat outside

!

ip nat inside source static 10.10.10.1 2.2.2.1 //2.2.2.1 being ISP

!

ip route 0.0.0.0 0.0.0.0 2.2.2.1

ip route 192.168.1.0 255.255.255.0 10.10.10.2

!

ASA

int e0/0

desc to 2611

nameif ISP

security-level 0

ip address 10.10.10.2 255.255.255.252

!

int e0/1

desc to internal

nameif internal

security-level 50

ip address 192.168.1.0 255.255.255.0

!

global (ISP) 1 interface

nat (internal) 1 192.168.1.0 255.255.255.0

route ISP 0.0.0.0 0.0.0.0 10.10.10.1

Would this work?

Thank you,

Woo

John Blakley · ‎11-21-2013

You won't need the static route to 192.168.1.0 on the router if you're natting from the ASA as 10.10.10.2 for all of your outbound traffic. Do you have static nats on the ASA for other services like web server, ftp, etc?

The other thing that I noticed was your nat line on the router looks incorrect:

ip nat inside source static 10.10.10.1 2.2.2.1 //2.2.2.1 being ISP

You're going to have to nat the 10.10.10.2 if you're only wanting to support that, which is the ASA.

I would just set 10.10.10.0/30 as a whole:

access-list 100 permit ip 10.10.10.0 0.0.0.3 any

ip nat inside source list 100 interface s1/0 overload

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Woo Choi · ‎11-22-2013

Sorry, I am a bit confused - you mentioned that I won't require NAT on the router since ASA already has NAT configured, but then you also mentioned that I need to correct ip nat statement on the router.

I am assuming that I should remove "ip nat inside" and "ip nat outside" from interface configuration, and add following config only?

access-list 100 permit ip 10.10.10.0 0.0.0.3 any

ip nat inside source list 100 interface s1/0 overload

Thank you,

Woo