We're trying to deploy a new ASA5505 and Cisco2811 that's behind the FW. The inside of the FW is connected to the router (assigned with a public IP of /30). The LAN range is behind the router, and is to be NAT'd on the outside interface of the FW. Is this logically possible? When I try to do a packet trace from the ASA ASDM, LAN is not able to reach the internet.
Also, from ASDM, what is the difference between the packet trace button from Access rule and the packet trace from NAT rule window? Coz when I added a specific dynamic NAT rule for the LAN range to the outside IP address of the FW (besides from the default dynamic NAT 0.0.0.0 assigned to outside), the packet trace going to the internet is okay. But when I try the packet trace from the access rule window (allowing ip from LAN range to any on inside_access_in), I'm getting a NAT lookup error.
Why would you honestly want to have a public IP address between the firewall inside and the router, then NAT on the firewall outside.
You topology is incorrect - The Firewall inside and the router should be configured on a privtae IP subnet. Have the firewall outside directly connected to the internet - have NAT performed on the firewall.
With regards to your first question, I believe this is possible in 2 ways.
1. If your ASA is running in transparent mode, this would mean that NAT would have to be done on your router.
2. If your ASA is running in routed mode you would either have to have another public IP range to assign to the outside of the ASA, or re-IP the inside of the ASA / outside of the router with another private IP range.
As for your ASDM question, I'm not to sure! I'm more a CLI person!
Thanks for your reply. The ASA is configured in routed mode. It has a different public IP assigned to the outside interface. With this, are there additional configurations that I need to note in order to allow the LAN (from behind the router) to be able to access the internet?
Ensure that the router is not doing any NAT, ensure ACLs on the Firewall represent the LAN ip address range, also ensure that the traffic is getting NATed on the firewall itself (maybe for testing configure a static NAT).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...