Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT - Router and ASA setup

I'm a little confused on how to set up NAT and where. My router has an ip of 1.1.1.1. My public IP range is 1.1.1.1 to 1.1.1.6 of usable IPs. At the current moment the router forwards the traffic to a hub and from there it goes into a device that is assigned one of my usable IPs.

I bought a ASA5505 and the scheme changes. I can either take one of my IPs and assign it to the OUTSIDE interface of the firewall and NAT inside the firewall or

NAT inside the router as well as inside the firewall...

Which is the recommended setup, what are the ramifications. Any other options that I am missing?

ASA interfaces:

0 -outside

1 -DMZ

2 -inside

4 -mgmt

Thank you for your help,

chris

6 REPLIES
New Member

Re: NAT - Router and ASA setup

You can set up NAT on either one i wouldn't really matter and it would still work. I would suggest configuration NAT on your ASA if you have the public ip addresses to spare on assigning them to the routing interfaces. Just have the router route and it will be a less headache for you later on in the future. hth.

New Member

Re: NAT - Router and ASA setup

Thanks, that was helpful.

So if my router's e0 IP is 1.1.1.1 then I can make the ASAs OUTSIDE int 1.1.1.2. How will the router know to forward traffic destined for 1.1.1.5 to the ASA Outside interface?

New Member

Re: NAT - Router and ASA setup

is 1.1.1.5 the ip that you will use for nat?

New Member

Re: NAT - Router and ASA setup

1.1.1.5 is the webserver (accessible from Internet). I will use 192.168.2.2 as the NATted address.

1.1.1.1 is the entry point to my network

1.1.1.2 is the Outside int on ASA

192.168.2.1 is the DMZ int on ASA (where webserver is hooked up)

I assigned a static(outside,dmz) 192.168.2.2 1.1.1.5 netmask 255.255.255.255 and static(dmz,static) 1.1.1.5 192.168.2.2 netmask 255.255.255.255

I changed the webserver TCP/IP to 192.168.2.2/255.255.255.0/gate 192.168.2.1

but my setup does not work.

New Member

Re: NAT - Router and ASA setup

you have to add an ACL to the outside interface to permit the traffic to enter the interface and then be NAT'd.

http://www.cisco.com/warp/public/556/5.html

New Member

Re: NAT - Router and ASA setup

So I tried using ACLs , statics, and PAT to get this to work, none seem to work.

When I try to ping 66.999.999.62 from the router it succeeds.

When I try to ping 66.999.999.58 (web server) from the router it fails.

It's like the router does not know that 66.999.999.58 is behind the 66.999.999.62 ASA OUTSIDE interface...!!!

Do I need to change the router config to make it aware that 66.999.999.62 (web server) is behind the ASA?

375
Views
3
Helpful
6
Replies