Showing results for 
Search instead for 
Did you mean: 

ASA behind a router performing NAT...

Level 1
Level 1


I'm not sure if this would be more suited in the R&S forums but I figure some

security people must have worked on something similar....

I have an ASA sitting behind a 2800 router with 2 Internet circuits. I'm trying to

NAT everthing from the ASA inbound & outbound.

I can't ping from the DMZ to the inside of the router, icmp is allowed. I can't

see any deny's on the logs either, yet I can see an e-mail appliance (

getting NAT'd and I know it's receiving updates:

tcp 83.x.x.69:80

I was trying to do the NAT on the ASA but I've wiped that so now there's just a address on the outside interface as well as the Inside (

and DMZ ( interfaces.


interface GigabitEthernet0/0

description Link to Outside Interface of ASA

ip address

ip nat inside


interface GigabitEthernet0/1

description Primary Circuit

ip address 83.x.x.66

ip nat outside


interface FastEthernet0/0/0

description Backup Circuit

ip address 89.x.x.159

ip nat outside


ip route FastEthernet0/0/0

ip route GigabitEthernet0/1

ip route 83.x.x.64 GigabitEthernet0/0

ip route 89.x.x.159 GigabitEthernet0/0

ip route GigabitEthernet0/0

ip route GigabitEthernet0/0



ip nat pool NAT_INT 83.x.x.67 83.x.x.69 prefix-length 29

ip nat inside source list 11 pool NAT_INT overload


access-list 11 permit any

access-list 11 permit

access-list 11 permit

access-list 11 permit


I'm trying to figure out where things are going wrong, the packet-tracer on the ASA

suggests everything is fine there, and there doesn't seem to be a whole lot going on

with the NAT...maybe something on the routing...

Anybody got any ideas?!



4 Replies 4

Level 7
Level 7

the asa/pix platform denies ICMP by default. the easiest way around this is to enable icmp ispection.

assuming you're running the default global inspection policy, enter the following:

policy-map global_policy

class inspection_default

inspect icmp


besides that, what else was wrong?

for communications between networks that reside on different interfaces of the ASA, additional configuration will be required, depending on the security-levels of each interface.

Yup, I enabled that for icmp alright. I'm happy enough with how things are working on the ASA. The problem just seems to be when I try to get out past the router, so I thought there's a problem with how the statics are configured for the internal networks.

I'm stretching my understanding a bit here but if I can provide any more information please let me know.


Can you reconfigure the static route;


ip route GigabitEthernet0/0


ip route

If that doesn't help can you share a sanitized copy of the ASA configuration.



Ok, so somehow I resolved this...

I changed the ip routes as you mentioned above but it didn't have any effect. I also changed the NAT configuration to the the following:

ip nat inside source list 10 interface GigabitEthernet0/1 overload

ip nat inside source static 83.x.x.70

...this didn't seem to have any effect either.

I gave the redundant circuit a higher metric and messed about with the DNS servers and then things started working...

Not sure what happened but it works now so it'll do!

Thanks for your input guys,


Review Cisco Networking for a $25 gift card