Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
57
Views
0
Helpful
1
Replies

Problem with NAT traversal of two ASA firewalls

GRANT GATHAGAN
Level 1
Level 1

‎10-31-2024 05:44 PM - edited ‎10-31-2024 05:46 PM

I have an odd situation involving two ASA firewalls.
Firewall 1 is our main firewall, an ASA5585-X. Firewall 2 is an ASA5506

For reasons that aren't germane to this problem, one of our research groups is required to place their server and its attendant NASs behind their own firewall within our institution. That's firewall 2.

Firewall 2 is set up to limit the server's outgoing access to a server at another research site via SSH and Red Hat's update sites.
The NASs outgoing access is limited to Synology's update sites.
Additionally, I've allowed DNS and NTP access from those devices to our internal DNS and NTP servers

From outside of firewall 2, SSH access to the server is limited to the computers of several researchers, which are on our institution's private network.
Likewise, HTTPS access is allowed from those same researchers to the NAS units.

The outgoing traffic from firewall 2 to the update sites then goes through our main firewall, firewall 1, along with the majority of other outgoing traffic from our organization.

The researchers now need to add SSH access to an additional remote site.
In the interest of security, the new remote site would like to see traffic from us on a unique public IP address, as opposed to the public IP address of the outside interface of firewall 1.

Accordingly, I created a static NAT on firewall 1 for the outside interface of firewall 2.
I didn't set up any access rules, just the NAT.

Currently, the server cannot communicate with any of its allowed targets, but the NAS units can.
The logs show connections being set up on firewall 1, but they time out after 30 seconds.

Given that the NAS connections are made successfully, I think my approach is logical, but clearly I am missing something.

Any advice is welcome.

0 Helpful
1 Reply 1

nspasov
Cisco Employee
Cisco Employee

‎10-31-2024 07:07 PM

This could be ACL, proxy-arp, routing, etc. but it is hard to say as there are many moving parts. Additional information and perhaps a basic diagram/sketch would be a good start. The output from packet-tracer from both firewalls simulating the end-to-end connection could possibly shine the cause of the problem. 

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card