Configure NAT on ASA inside of edge Router

patrick.mccullough3 · ‎08-07-2013

Hi All,

If this is the wrong place to post this question, I apologize and can repost in the correct location.

My shop has 1 ISP prividing us a 40 Mb ethernet line with a /26 public IP subnet. I am configuring our lab with redundancy using the following devices:

-Two 2911's as the Edge devices (configured with HSRP)

-Two ASA5515X's (configured for failover)

-Two 3750X (stacked)

We will be configuring VPN, an IPSEC (or GRE) tunnel to another site, and NAT on the ASA's.

My question is how can I configure all of the above (VPN, IPSEC, and NAT) on my ASAs even though they will be behind/inside the edge routers?

Does this sound like a feasible implementation? Any better suggestions?

Thank you all in advance for your help!

JohnTylerPearce · ‎08-07-2013

If they are being the edge routers, coming in from the ISP, can you create a VLAN, with a public network range of the ISP, and assign that to the outside interface?

It would make it a whole lot easier. Personally, you can run in to allll sorts of problems, if you have to double NAT etc, and do all kinds of weirdness.

For instance, I worked at a company, we will call CompanyX once, who had one ISP, and behind the ISP was a switch, with a VLAN that was carved, with a L2 vlan, and from a port on that switch (with the ISP VLAN) to the public outside interface on the ASA.

Sorry if this sounds confusing, and feel free to ask anymore questions. I'm usually busy during the day, but I try my best to respond to posts.