NAT Issues with Cisco ASA Firewall

tonyk0001 · ‎04-26-2017

Hi Team,

I have a client who has been using a cisco router as his Internet gateway for two subnets (192.168.1.0 and 192.168.2.0) and also as a VPN router connecting to different sites (say 192.168.10.0, 192.168.20 and so on) but he bought a new Cisco Firewall (Cisco 5516 Firepower). He wants it to be below the Router, He wants to create four interfaces for different zone (LAN, SERVERS, DMZ,LAN) (192.168.1.0, 192.168.2.0, 192.168.3.0,192.168.4.0)..... And be able to direct whichever he wants to the router so that it can go out. I have tried to configure that but when I configure access rules between interfaces, they cant work without natting.. Yet when I apply NAT the cisco router gets the translated IP hence contradicting with the NAT that is already configured on the Cisco Router.

Is there a way of doing the Access rule and allow traffic among the interfaces without natting or doing exempt nat ?

Ajay Saini · ‎04-26-2017

Hello,

Yes, that is possible and a workable scenario. By default, if you don't configure a NAT, the traffic should travserse ASA without getting NATed provided there are access-list allowing the traffic.

Worst case, if there is an existing NAT causing this, a NAT exempt can be added to make it work.

Could you please provide the config and the issue that you are facing.

-

AJ

tonyk0001 · ‎04-26-2017

Hi AJ,

I configured the access rules but without the NAT they couldnt work.. I tried configuring NAT exempt but I realized it only works with static nat yet am using Dynamic hide ..... Am actually using the outside interface to do the nat.

Unfortunately I don't have the configs because I am off the site.

Regards