Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

Router & ASA connected with Private IP for Internet Access

Hi,

Internet link is terminated into router with public ip.

Router & firewall connected with private ip.

DMZ is having 2 ip segments that are being accessed from inside & outside zone.

LAN zone: 10.0.0.0

WAN: 212.x.y.z

DMZ1: 172.16.1.0

DMZ2: 172.16.2.0

Can someone help me with config script of both router & firewall

29 REPLIES

Re: Router & ASA connected with Private IP for Internet Access

----<>-----<>==={internet}

------|

On the router suppose you have

S0/0 - 212.x.y.z - Internet

f0/0 - 20.0.0.2/24 - Inside connecting to ASA outside interface

then configure this way on the router -

int s0/0

ip add 212.x.y.z

ip nat outside

int f0/0

ip add 20.0.0.2 255.255.255.0

ip nat outside

access-list 10 permit 172.16.1.0 0.0.0.255

access-list 10 permit 172.16.2.0 0.0.0.255

access-list 10 permit 10.0.0.0 0.0.0.255

ip nat inside source list 10 interface serial 0 overload

-- Also add routes for 172.16.1.0 and 172.16.2.0 on the router, pointing towards ASA outside interface IP.

Now on the ASA, configure the interfaces and then add default route pointing towards the router f0/0 IP (20.0.0.2)

route outside 0 0 20.0.0.2.

Hope this helps.

New Member

Re: Router & ASA connected with Private IP for Internet Access

I think int f/0--> ip nat inside..is this right??

i do have another thought in my mind:

suppose all natting is being taken care by pix, whether only a default route towards isp & static routes pointing inward towards dmz zone will wotk!!!

Re: Router & ASA connected with Private IP for Internet Access

int f/0--> ip nat inside

yes this is correct because you are going to nat all inside subnets behind f0/0.

New Member

Re: Router & ASA connected with Private IP for Internet Access

i also have a query: in that case whether no natting is required into the firewall?

Re: Router & ASA connected with Private IP for Internet Access

Natting is not reqd on the firewall as it will be taken care of by the router.

New Member

Re: Router & ASA connected with Private IP for Internet Access

all natting is already been taken care by asa as it is running. router will be installed now so i don't want to change asa configuration.

can this be done!!!

New Member

Re: Router & ASA connected with Private IP for Internet Access

NAT for internet access is done on the router. If you want to hide the DMZ ip add, in this case NAT is done on the ASA

New Member

Re: Router & ASA connected with Private IP for Internet Access

Hi,

I want to have internet link terminated into router & dmz server zone at pix. as pix is already running so don't want to chanhe the config of the same.

Can someone help me with the config!!

Re: Router & ASA connected with Private IP for Internet Access

ok make PATing over your public ip on the router for all your internall networks

like

access-list 100 pemirt ip any any

route-map pating permit 10

match ip address 100

ip nat inside source route-map pating inteface (ur outside interface

then on ur inside router interface

ip nat inside

and on the outside interface

ip nat outside

regarding that you have the proper ACLs,NATing and default route on your PIX

also you should have the roight default route configured on your router

good luck

please, Rate if helpful

New Member

Re: Router & ASA connected with Private IP for Internet Access

In PIX i configured the default route towards router inside interface & inside routes towards my lan segment.

Did:

global (outside) 1 inetrface outside

global (intf2) 1 172.16.1.0 ---> intf2: dmz1

global (intf3) 1 172.16.2.0 ---> intf3: dmz2

nat (inside) 1 10.0.0.0

=============================================

Router:

access-list 100 pemirt ip any any

route-map pating permit 10

match ip address 100

ip nat inside source route-map pating inteface fe0/1

int fe0/0

ip nat inside

int fe0/1

ip nat outside

ip route 0.0.0.0 0.0.0.0 fe0/1

please check if it is ok. then i will try & update you.

Re: Router & ASA connected with Private IP for Internet Access

what i sugesst you to do is remove the above nating

and make static nat on your pix for the whole submet i mean you give exposior to the whole inside and dmz subnet to the router and on the router do the NATING as i told you

do the following on the PIx

static(inside, outside) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

the above command does not actually translate inside addresses so that the router can communicat and see the 10.0.0.0 directly

by the way i assumed that the subnet mask is 255.255.255.0 put it is you have it in your network

then do the same for the dmz network

static(intf2,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static(intf2,outside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

again put the subnet mask as you have in your network

and then do the PATING as i told you in the prevous post

ROUTER:

access-list 100 pemirt ip any any

route-map pating permit 10

match ip address 100

ip nat inside source route-map pating inteface (ur outside interface) overload

(dont forget the overload)

then on ur inside router interface

ip nat inside

and on the outside interface

ip nat outside

it shoul work

and use your ACLs to control what allwoed from outside to inside or dmz

by the way

you can use the same concept between the inside and the dmz

good luck

please, Rate if helpful

Re: Router & ASA connected with Private IP for Internet Access

by the way

when you gonna do the configuration i have mentioned on ur PIX

dont forget to remove all the nat config that u have first then do the config i told u about it

about the router

try to put the work overload after the

ip nat inside source route-map pating inteface fe0/1 overload

also what kind of connection with internet u have ?

ADSL or what ?

New Member

Re: Router & ASA connected with Private IP for Internet Access

Hi,

I tried as per ur config but not working. Pleae find the config & try to help me out in this.

=============================================

!

access-list 100 pemirt ip any any

!

route-map pating permit 10

match ip address 100

!

ip nat inside source route-map pating

inteface f0/0 overload

!

interface FastEthernet0/1

ip address 192.168.10.2 255.255.255.252

ip nat inside

!

interface FastEthernet0/0

ip address 116.x.x.x/28

ip nat outside

!

ip route 0.0.0.0 0.0.0.0 116.x.x.y

=============================================

route outside 0.0.0.0 0.0.0.0 192.168.10.2

route inside 10.0.0.0 255.0.0.0 10.20.10.6

access-list 110 extended permit icmp any any

access-list 110 extended permit ip any any

access-list 110 extended permit tcp any any

access-group 110 in interface inside

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

=============================================

Plz suggest

Re: Router & ASA connected with Private IP for Internet Access

what is the problem with that config

u mean u cant go from the firewall to the outside??

by the way is the network 10.0.0.0 connected directly to ur inside firewall interface?

what is this command????

route inside 10.0.0.0 255.0.0.0 10.20.10.6

please discribe it

i think here we have a leak

ok

New Member

Re: Router & ASA connected with Private IP for Internet Access

With this config, from router i can ping any public ip but from firewall pinging outside ip is not happening. From firewall inside ip & vlan is pinging.

=========================================

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.20.10.21 255.255.0.0

route inside 10.0.0.0 255.0.0.0 10.20.10.6 (10.20.10.6--> inside vlan interface ip )

Re: Router & ASA connected with Private IP for Internet Access

CHANGE the interface SUBNETMAKS MUST BE

(255.0.0.0)

first u dont need this command

route inside 10.0.0.0 255.0.0.0 10.20.10.6

and if u pinging from inside to the router outside

then the config i have sent u is working!!

and for ur knowledge

in ASA firewall u cant ping an interface from another interface

please, if helpful rate

Re: Router & ASA connected with Private IP for Internet Access

did u get it work?

dont forget the interface subnet mask should be 255.0.0.0

als all ur hosts in that inside network

should be in subnet 255.0.0.0

as we configured the nating with 255.0.0.0

and let me know

good luck

New Member

Re: Router & ASA connected with Private IP for Internet Access

my inside network is not /8, i have /24,/25 etc. what u suggest in that case!!

Re: Router & ASA connected with Private IP for Internet Access

can u send simple diagram with current config please

to save the time

New Member

Re: Router & ASA connected with Private IP for Internet Access

Please find the attachment for asa config..router config u alredy have.

There are approx 210 no'f vlans into dist switches (4507R) which bare connected with 6513.

ASA is connected directly with Core switch.

In core vlan 900

ip address : 10.20.10.6/16

asa is connected to this vlan.

Re: Router & ASA connected with Private IP for Internet Access

ok then keep ur config as it is

and do the static nat as i told u befor

also

enable icmp inspection for ping:

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

exit

also do the following to let the firewall do ping its self

permit icmp any interface outside echo

permit icmp any interface outside echo-reply

by the way the config u sent me withiut any nating configured?

so sure when u do show xlate will give u 0

and one more question when u done my config have u get ur inside network working normaly i mean cna go out the router and ping ?

check u r network behind the switch if it has the right config and right defuale gateways conffigured

and let me know

it should work just do it care fully and step by step

good luck

New Member

Re: Router & ASA connected with Private IP for Internet Access

Hi,

My LAN is working fine. I can ping asa inside interface, i am not able to ping asa outside or rouetr laninterface.

Re: Router & ASA connected with Private IP for Internet Access

do u have route to ur inside network on ur router?

i mean for 10.0.0.0/8?

u need to have on ur router somthing like:

ip route 10.0.0.0 255.0.0.0 [asa ouside ip]

also for icmp

have u don on ur asa:

permit icmp any inside echo

permit icmp any outside echo

and i told u cant ping the asa outside interface from inside or dmz

in other words u cant ping any asa interface from other interface

just u need to get the ping to the router

please after u finish all the config post them to me if didnt work

with full config

New Member

Re: Router & ASA connected with Private IP for Internet Access

i will do this & let you know. Bye the way..thank u very much for your help.

Re: Router & ASA connected with Private IP for Internet Access

u welocme

and good luck

please, rate the helful post

New Member

Re: Router & ASA connected with Private IP for Internet Access

It's working..thanx a lot.

but access is happening only from 10.20.x.x/16. i did this into asa:

static(inside, outside) 10.0.0.0 10.0.0.0 netmask 255.255.0.0.

My asa inside interface ip: 10.20.10.21 /16.

But i have number of vlans in the range /24,/25,/26 etc with 10.145.x.x series in LAN. from such ddresses internet is not happening.

your suggestion on tjis any !!!

Re: Router & ASA connected with Private IP for Internet Access

do u have the right vlan and default gateways configured

also route

now it is routing problem

first check the default gateway configuration and make sure they can oping the asa

also make sure u have the route configured through the inside interface on the ASA

please, rate the helpful post

and good luck

New Member

Re: Router & ASA connected with Private IP for Internet Access

Hi,

I tried to do this ut not happening.

From user side i can ping the asa inside interface. In my switch default route o.o.o.o o.o.o.o 10.20.10.X (asa inside ip) is given.

In switch vlan 900 is created & asa inside is assigned an ip from that segment.

Internet access is happen ing from only vlan 900..from other vlan i can't access internet.

plz suggest.

New Member

Re: Router & ASA connected with Private IP for Internet Access

Hi,

I am sorry to say that internet is not happening from any of the vlan's.

I have connected my pc directly with the asa inside interface having the pc g/w as inside interface still not happening.

plz help

373
Views
8
Helpful
29
Replies
CreatePlease to create content