cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
692
Views
0
Helpful
2
Replies

ASA5520 Dual-Tier NAT

dsmdavidt
Level 1
Level 1

Hey all:

I am having some issues getting internet traffic to pass to inside hosts on Two Cisco ASA 5520s running 8.4 ASA IOS.

The set up is a 2-tiered FW.

Inside Hosts -- ASA5520 -- DMZ Hosts -- ASA5520 -- Internet Provider

Inside FW Network: 10.10.10.0/24

Perimeter FW Network: 10.10.0.0/24

NAT Network: 172.16.10.0/24

Real IP Network: 192.168.1.0/24

Inside Host: 10.10.10.10

Inside FW: 10.10.10.1/24

Inside NAT: nat (inside,outside) source static 10.10.10.10 172.16.10.10 unidirectional

Interface GigabitEthernet 0/0

nameif outside

ip address 10.10.5.2 255.255.255.252

Interface GigabitEthernet 0/1

nameif inside

ip address 10.10.10.1 255.255.255.0

Outside FW: 10.10.0.1/24

Outside NAT: nat (inside,outside) source static 172.16.10.10 192.168.1.225 unidirectional

Interface GigabitEthernet 0/0

nameif outside

ip address 192.168.1.2 255.255.255.0

Interface GigabitEthernet 0/1

nameif inside

ip address 10.10.5.1 255.255.255.252

Interface GigabitEthernet 0/2

nameif dmz

ip address 10.10.0.1 255.255.255.0

Interfaces are connected through 10.10.5.0/30 network

Inside FW route:

route outside 0.0.0.0 0.0.0.0 10.10.5.1

Outside FW routes:

route outside 0.0.0.0 0.0.0.0 192.168.1.1

route inside 10.10.10.0 255.255.255.0 10.10.5.2

I can see the traffic passing, but I am just getting SYN Timeouts and a few TCP reset-I and TCP reset-O messages in the logs.

2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to configure route for the 172.16.10.10 NATed address on the Outside FW because you are NATing it to that ip address, it doesn't know and doesn't need to route to the real subnet (10.10.10.0/24), hence you don't need the following route:

route inside 10.10.10.0 255.255.255.0 10.10.5.2

What you need is:

route inside 172.16.10.10 255.255.255.255 10.10.5.2

Another option you can go for

1) On Inside Firewall

object network server

host 10.10.10.10

access-list OUTSIDEIN extended permit ip any object server

access-group OUTSIDEIN in interface outside

2) On outside firewall

object network server
host 10.10.10.10

nat (inside,outside) static 192.168.1.225

access-list OUTSIDEIN extended permit ip any object server

access-group OUTSIDEIN in interface outside

Review Cisco Networking for a $25 gift card