Solved: ASA NAT Problem

Andres Franco · ‎04-24-2011

Hello community!

I have the following scenario:

ISP 1 ======== Router ========== ASA ========= INSIDE NETWORK

|| ||

ISP 2 DMZ

There is only one ASA outside interface.
The Router is doing PBR so traffic coming from the Inside goes to ISP1 and the rest of the traffic (DMZ) goes to ISP2.
I have to public subnets (x/y), one is used to nat Inside network and the other to nat DMZ.
The ASA outside interface has an IP address from public subnet x. The routerbit has interfaces with IP addresses from both public subnets x and y.

I tested this scenario in a lab enviroment simulating an outside network on the router to check if ASA was doing NAT properly for both public subnets and it worked. The router had a default route pointing to the ASA an i was able to access services in Inside and DMZ networks. The problem is that when i tried this scenario in the real environment (the Router with route maps for PBR and the default-route pointing to ISPs) i could access services through only one of the public subnets from the Internet but not both. I think traffic knows how to go out but when coming from the Internet the router doesnt know what to do with it from the subnet that is not common between the Router and ASA. How can i fix this without using another interface of the ASA?? Any Idea? Thanks in advance.

AF.

Roman Rodichev · ‎04-24-2011

There should be no problem for your router to route return traffic for subnet Y to the ASA using a next-hop from subnet X. Did you configure a static route on the router for subnet Y to point to the ASA's outside IP?

View solution in original post

Roman Rodichev · ‎04-24-2011

There should be no problem for your router to route return traffic for subnet Y to the ASA using a next-hop from subnet X. Did you configure a static route on the router for subnet Y to point to the ASA's outside IP?

Andres Franco · ‎04-26-2011

Hey Roman! how are you doing?

Thanks for your reply. I did try with the static route pointing to the ASA but it didn´t work. Is it possibly to create subinterfaces on the ASA and then create a trunk between the ASA and the Router with the 2 subnets?. I don´t know why i didn´t worked that time, i also thought that the static route could be a solution. I couldn´t do much because i had a litle window to test changes in the real enviroment. Any recommendation?. Thanks again.

AF.

mkhraisa · ‎04-26-2011

Hi Andre,

Would it be possible if you assign example IPs and masks to your diagram to understand better.. I cant seem to undestand who has which IPs.. How exactly are you natting and on which device?? Where is the ISPs router and how is it connected to your network?

Motaz Khraisat

Andres Franco · ‎04-28-2011

Thank you all for your support. I did work with the static route from the Internet Router. We were having a problem with de public DNS server that wasnt updating a change in the config.

AF

Roman Rodichev · ‎04-28-2011

I'm glad you figured it out.

Andres Franco · ‎04-28-2011

Yes. Me too. Is good to get things solved.