Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Router w/NAT behind NAT'd firewall

I have an ASA5505 with an inside network of 192.168.100.0/24 that is of course NAT. On this network I added a 1721 IOS router with 4 port switchcard that has 2 new internal networks (10.10.7.0/24 and 192.168.101.0/24). The 1721 router's outside interface IP is 192.168.100.3. I originally set this up with no NAT. The router was routing fine between LANs, but there is a problem with the inside networks for the 1721 reaching the internet.

So I thought the best solution at the time was to use NAT for the 10.10.7.0/24 and 192.168.101.0/24, then apply a No-NAT policy to the 1721 so that I could reach the 192.168.100.0/24 and vice versa without NAT. So I tried to apply what had worked for me before doing a VPN from IOS router to ASA. I tried to disable NAT for specified networks.

However this is not working, well at least not the way I want. So far I can disable NAT on the 1721 and access the other internal LANs we have, but not the internet. Or I enable NAT and can access the internet from devices on the inside networks, but then devices on the 192.168.100.0/24 can not access 10.10.7.0/24....unless I create a static NAT entry. Problem is I have one availble IP address to use on the 192.168.100.0/24 and that is already assigned to the outside interface of the 1721.

I have not considered how I could get devices on the 10.10.7.0/24 network to go out the 1721 and reach the internet using the ASA's NAT policy. It's late, tired, and sure I am missing something here. But for the life of me I just can not figure out how to get this working.

BTW, without NAT on the 1721, shouldn't packets leave the outside interface of the 1721 (192.168.100.3) and get NAT'd from the ASA?

Here is the current config on the 1721 that right now I can access the internet from 10.10.7.220 server, but I can not access this server from the outside network of 192.168.100.0.

version 12.4

!

interface FastEthernet0

ip address 192.168.100.3 255.255.255.0

ip nat outside

ip virtual-reassembly

speed auto

!

interface FastEthernet1

switchport access vlan 2

!

interface FastEthernet2

switchport access vlan 3

!

interface FastEthernet3

switchport access vlan 3

!

interface FastEthernet4

switchport access vlan 3

!

interface Vlan1

no ip address

!

interface Vlan2

description FW_INSIDE$

ip address 192.168.101.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan3

description FW_INSIDE$

ip address 10.10.7.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan4

description FW_INSIDE$

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 192.168.100.1 permanent

!

ip nat pool 103 192.168.1.0 192.168.1.254 netmask 255.255.255.0

ip nat pool 101 192.168.101.1 192.168.101.254 netmask 255.255.255.0

ip nat pool 102 10.10.7.1 10.10.7.254 netmask 255.255.255.0

ip nat inside source route-map NONAT interface FastEthernet0 overload

!

access-list 90 permit any

access-list 120 permit ip 192.168.101.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 120 permit ip 192.168.101.0 0.0.0.255 10.10.6.0 0.0.0.255

access-list 120 permit ip 192.168.101.0 0.0.0.255 10.10.15.0 0.0.0.255

access-list 120 permit ip 192.168.101.0 0.0.0.255 10.150.0.0 0.0.255.255

access-list 120 permit ip 10.10.7.0 0.0.0.255 10.10.6.0 0.0.0.255

access-list 120 permit ip 10.10.7.0 0.0.0.255 10.10.15.0 0.0.0.255

access-list 120 permit ip 10.10.7.0 0.0.0.255 10.150.0.0 0.0.255.255

access-list 120 permit ip 10.10.7.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 130 permit ip 10.10.7.0 0.0.0.255 any

access-list 130 permit ip 192.168.101.0 0.0.0.255 any

access-list 130 permit ip 192.168.1.0 0.0.0.255 any

access-list 130 deny   ip 10.10.7.0 0.0.0.255 10.10.6.0 0.0.0.255

access-list 130 deny   ip 10.10.7.0 0.0.0.255 10.10.15.0 0.0.0.255

access-list 130 deny   ip 10.10.7.0 0.0.0.255 10.150.0.0 0.0.255.255

access-list 130 deny   ip 10.10.7.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 130 deny   ip 192.168.101.0 0.0.0.255 10.10.6.0 0.0.0.255

access-list 130 deny   ip 192.168.101.0 0.0.0.255 10.10.15.0 0.0.0.255

access-list 130 deny   ip 192.168.101.0 0.0.0.255 10.150.0.0 0.0.255.255

access-list 130 deny   ip 192.168.101.0 0.0.0.255 192.168.100.0 0.0.0.255

!

route-map NONAT permit 10

match ip address 130

!

426
Views
0
Helpful
0
Replies
CreatePlease to create content