04-25-2013 06:25 AM - edited 03-11-2019 06:34 PM
Hi Guys,
I'm having problem with the translation of my private networks outside and I'm little bit confused where should I put the NAT. Btw, here's the scenario. I have Cisco 1841 router running DHCP services then I have 1 Cisco 2901 which is a WAN side, in between of these I put ASA Firewall as a transparent mode. Anyhow please see my configuration below. Hope someone could help me on this. Thanks
Cisco 1841
ip dhcp pool 1.1.1.0/24
network 1.1.1.0 255.255.255.0
default-router 1.1.1.254
ip dhcp excluded-address 1.1.1.254
Interface fa0/0
description ##Facing_WAN##
ip address 2.2.2.1 255.255.255.240
duplex auto
speed auto
Interface f0/1
description ##LAN##
ip address 1.1.1.254 255.255.255.0
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 2.2.2.3
ASA 5515-x Firewall
firewall transparent
Interface gi0/0
nameif Outside
bridge-group 1
security-level 0
Interface gi0/1
nameif Inside
bridge-group 1
security-level 100
Interface BVI1
ip address 2.2.2.2 255.255.255.240
(access-list was also configured both inside and outside) (permit any any)
Cisco 2901
Interface g0/0
ip address 3.3.3.3 255.255.255.252
duplex auto
speed auto
Interface g0/1
ip address 2.2.2.3 255.255.255.240
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 3.3.3.3
(In this case I was able to reach 2.2.2.0/28 with the source of fa0/1 (default-gateway)) So, now I need to know where should I put the NAT and should I also put an ip route from Transparent mode firewall? Please help thanks! Let me know if I missed some configuration here, I highly appreciate their response.
Solved! Go to Solution.
04-30-2013 11:21 AM
add the following on the asa
route outside 0.0.0.0 0.0.0.0 202.120.1.1
on the router
no ip nat source list 7 pool TEST
ip nat inside source list 7 pool TEST
then let me know
04-25-2013 09:41 PM
Hi baltazar,
Check the route on the 2901
Interface g0/0
ip address 3.3.3.3 255.255.255.252
ip route 0.0.0.0 0.0.0.0 3.3.3.3
Why is it pointing to itself??
On the ASA add
route outside 0 0 2.2.2.3
I would do the NAT on the Outside router but that's all up to u
Regards
04-25-2013 11:28 PM
Hi Jc,
Sorry it was actually routed to 0.0.0.0 0.0.0.0 3.3.3.4 this is an example of connection going ISP. I'll try your suggestion thanks jc!
04-26-2013 09:37 AM
Hey my pleasure,
If you do not have any other question please mark it as answered Baltazar,
Regards
04-29-2013 02:43 AM
Hi JC,
I already put the route from ASA and configured NAT outside router. It seems that the translation was not able to translated. Is there any configuration should I add on ASA or in router instead? Thanks!
04-29-2013 09:54 AM
Hello,
Can you share the entire configuration of the devices to double check if everything is as it should?
Regards
04-30-2013 01:51 AM
Hi JC,
Here's the configuration below.
Router 2600
Building configuration...
Current configuration : 1669 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.20.254
ip dhcp excluded-address 10.10.20.253
!
ip dhcp pool 10.10.20.0/24
network 10.10.20.0 255.255.255.0
default-router 10.10.20.254
dns-server 8.8.8.8 4.2.2.2
!
!
ip name-server 8.8.8.8
ip name-server 4.2.2.2
!
interface FastEthernet0/0
description ##FACING-WAN##
ip address 202.120.1.2 255.255.255.240
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
description ##LAN-WORSTATION##
ip address 10.10.20.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 202.120.1.1
!
no ip http server
ip nat pool TEST 202.120.1.9 202.120.1.10 netmask 255.255.255.240
ip nat source list 7 pool TEST
!
access-list 7 remark Pool
access-list 7 permit 10.10.20.0 0.0.0.255
access-list 100 permit tcp 10.10.20.0 0.0.0.255 any eq telnet
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 100 in
login local
transport input telnet
!
!
end
ASA FIREWALL 8.6
sh run
: Saved
:
ASA Version 8.6(1)2
!
firewall transparent
names
!
interface GigabitEthernet0/0
nameif Outside
bridge-group 1
security-level 0
!
interface GigabitEthernet0/1
nameif Inside
bridge-group 1
security-level 100
!
interface GigabitEthernet0/2
nameif Inside2
bridge-group 1
security-level 100
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
!
interface Management0/0
nameif Management
security-level 0
management-only
!
interface BVI1
ip address 202.120.1.3 255.255.255.240
!
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.2
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list Outside_access_in extended permit ip any any log disable
access-list Outside_access_in extended permit icmp any any log disable
access-list Inside_access_in extended permit ip any any log disable
access-list Inside_access_in extended permit icmp any any log disable
pager lines 24
mtu Outside 1500
mtu Inside 1500
mtu Management 1500
mtu Inside2 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
http 0.0.0.0 0.0.0.0 Inside2
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:80858c29d4cb42ba7aa174d09b7191dd
: end
04-30-2013 11:10 AM
Hello Baltazar,
On wich port is the ASA connected to that router?
I need the port numbers of both the router and ASA
04-30-2013 11:16 AM
Hi JC,
From router to ASA:
Fa0/0 to Gig0/1 (Inside ASA)
From ASA to WAN:
(Outside) G0/0 to G0/1 (WAN)
04-30-2013 11:21 AM
add the following on the asa
route outside 0.0.0.0 0.0.0.0 202.120.1.1
on the router
no ip nat source list 7 pool TEST
ip nat inside source list 7 pool TEST
then let me know
05-02-2013 12:47 AM
Hi JC,
I was able to do the translation. Thank you so much for your help. I just forgot to input the "ip nat inside source" instead.
05-02-2013 02:07 PM
Hello,
Yeah,
My pleasure to help
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: