Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
989
Views
5
Helpful
3
Replies

FW NAT

Serpent2010
Level 1
Level 1

‎09-02-2016 06:01 AM - edited ‎03-12-2019 01:13 AM

Please, what is the best way to config the FW to allow Net2 get IP address from Router1? Bear in mind Net 1 is on different subnet/ip 

NAT is not recommended as Net 2 shall has visible connection (IP address to Router 1 net.)

Internal Net 1 (192.168.1.0/24)

|

|

Router1 (DHCP 10.10.10.0/24) ----------   FW --------------------  Internet  (Outside)

      |         (Internal Net3)                             |

      |                                                             |

    Net 3                                           Internal Net 2 (10.10.10.0/24)

 

Thank You

Labels:
0 Helpful
3 Replies 3

pradypan
Cisco Employee
Cisco Employee

‎09-02-2016 07:08 AM

Hi,

With the query, I can understand that you are just looking to get IP address from Router 1. The Router 1 is acting as a DHCP server.

If my understanding is correct, you can configure ASA as a DHCP relay. A DHCP relay agent allows the ASA to forward DHCP requests from clients to a router or other DHCP server connected to a different interface.

Please find the below document for your reference.

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116265-configure-product-00.html#anc11


Regards,
Pradyumna

Serpent2010
Level 1
Level 1
In response to pradypan

‎09-06-2016 09:46 AM

Thank you for the info.

Unfortunately, because one of the FW interfaces had been configured as DHCP for local internal network, I could not setup Net2 for dhcprelay see error below (as stated in the link of the article)

DHCPRA: can't enable DHCP Relay when DHCPD is running on any interface
       Use the 'no dhcpd enable <server_ifc>' command
       on any interface that has been enabled. 

Any other solution please!

This topology is required to keep Net2 and Net3 connected. So, Net3's/R1 Admin can oversight Net2 network, meanwhile, the FW has full control to the bidirectional traffics between these two nets. 

0 Helpful

Edwin Matos
Level 1
Level 1

‎09-03-2016 12:37 PM

Since your net3 and net2 are on the same network the router or ASA wont allow same network on multiple interfaces with basic configuration. 

With VRF on router you can arrange your setup with with the topology below, buuuuut

Router 10.10.10.0/24

Router1 vrf A 10.10.10.1/24------------|switch vlan x

Router1 vrf TOASA 10.10.10.2--------|switch vlan x

Router1 vrf TOASA 10.10.11.1--------| to ASA net 2 interface

ASA net 2 10.10.11.1  then NAT towards net3

would you mind sharing more information about the requirements/needs for this design?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card