Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1787
Views
0
Helpful
7
Replies

Traffic flow issues after deploying 2921 router in front of my ASA5505

Go to solution
Michael Couture
Level 1
Level 1

‎02-03-2012 06:36 PM - edited ‎03-11-2019 03:23 PM

Originally my network was set up with a Cisco ASA5505 at the edge and was configured for VPNs to connect the remote offices to the main office. As part of company expansion I am in the process of deploying a New Cisco 2921 router at the edge of the network to connect to our ISPs. I did not get the built in firewall module on the Cisco 2921, as I intend to connect the Cisco ASA5505 on the inside interface of the 2921 router to handle all the firewall filtering. I have routing configure properly and can get off the network and onto the internet. The problem is traffic from the internet cannot get on the network, for example email. I can send email but not receive. I assume this is an ACL issue but I have yet been unable to resolve it as of yet.

Do I keep the access lists on the firewall to permit SMTP and the other protocols that I need to flow through? Or do I move them to the edge router or are they supposed to exist on both the router and the firewall?

I have attempted to create an ACL on the Router to permit the allowed traffic and applied it to the internet facing interface in the IN direction but it does not work. Any suggestions, do I need to make changes to the router, the ASA, or both?

Or could this be a NAT issue I have not changed the NAT settings on the firewall yet. So right now I have NAT translations happening on the firewall and then again on the router.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎02-03-2012 10:19 PM

The double nat is most likely your issue. Typically the network between the router and firewall is routable on the internet, so the router wouldnt be NATing at all. How is your internet service beig delivered to you?

Sent from Cisco Technical Support iPad App

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Ken Stieers
VIP
VIP

‎02-03-2012 10:19 PM

The double nat is most likely your issue. Typically the network between the router and firewall is routable on the internet, so the router wouldnt be NATing at all. How is your internet service beig delivered to you?

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Michael Couture
Level 1
Level 1
In response to Ken Stieers

‎02-04-2012 04:21 AM

Ken thank you for your response.

Right now I have a bonded T-1 delivered to the ISPs CSU/DSU on my site. That is then connected to my router via Ethernet. Before I added the router I just had a default route to the Default gateway on the ASA. I Now have the ISP connected to the router and will have a second ISP connected the router which is not online yet. I am not using BGP because our web server is hosted elsewhere and so I just planned to use Policy routing to direct the traffic between the two ISPs. We do host our own exchange and is on the inside of the network and not a DMZ.

So right now routing with the Router in place, I have EIGRP set up with a static route to get off the network and redistribute that route into my network. I have the ISP facing interfaces in a passive state.

Router

G0/0 (inside network to ASA) 172.20.10.9 /29

G0/1 ISP address

G0/2 Future ISP address

ASA

Outside interface 172.20.10.10/29

Inside Interface 172.20.20.6 /29

This then connects to my 3650 switches.

0 Helpful

Go to solution
DHiatt66C
Level 1
Level 1
In response to Michael Couture

‎03-21-2012 11:25 AM

Mike,

How did you get this to work? When I tried this setup

Router

G0/1 (inside network to ASA) 10.16.1.100/24

G0/1 ISP

ASA

Outside interface 10.16.1.101/24

Inside interface 10.16.2.3/24

This coonects to 2960 switch

I get an error about overlaping subnets

0 Helpful

Go to solution
Michael Couture
Level 1
Level 1
In response to DHiatt66C

‎03-21-2012 01:06 PM

David your issue sounds different than mine. My issue was with double NAT. Your issue sounds like it is with your IP addressing scheme. Look closely at your subnetting an make sure you don't have any overlap anywhere. I don't see an over lap in what you have listed, is this correct including subnet masks, do you have any other subnets in the network?

Plus I am sure this is a typo but you have G0/1 listed as ISP and to the ASA, Check you ports to make sure they are connected where they are suppose to be connected.

0 Helpful

Go to solution
Michael Couture
Level 1
Level 1
In response to Ken Stieers

‎02-04-2012 05:30 PM

Ok I have everything working now, the problem was with NAT as you suggested. I have NAT on the Edge router only and no NAT on the ASA5505. You can let me know your opinion on that. What I did on the ASA is:

Remove these nat translations:

object network (xxx.xxx.xxx.xxx)

nat (inside,outside) static interface service tcp 3389 3389

object network (xxx.xxx.xxx.xxx)

nat (inside,outside) static interface service tcp smtp smtp

object network (xxx.xxx.xxx.xxx)

nat (inside,outside) static interface service tcp https https

object network (xxx.xxx.xxx.xxx)

nat (inside,outside) static interface service tcp 135 135

object network (xxx.xxx.xxx.xxx)

nat (inside,outside) static interface service tcp www www

object network obj_any

nat (inside,outside) dynamic interface

The only NAT statements left on the ASA are for the site-to-site VPNs

On the Edge Router I added:

IP nat inside source static tcp (xxx.xxx.xxx.xxx)smtp (xxx.xxx.xxx.xxx)smtp extendable

IP nat inside source static tcp (xxx.xxx.xxx.xxx)www (xxx.xxx.xxx.xxx)www extendable

IP nat inside source static tcp (xxx.xxx.xxx.xxx)https (xxx.xxx.xxx.xxx)https extendable

IP nat inside source static tcp (xxx.xxx.xxx.xxx)135 (xxx.xxx.xxx.xxx)135 extendable

IP nat inside source static tcp (xxx.xxx.xxx.xxx)3389 (xxx.xxx.xxx.xxx)3389 extendable

Plus a route map for Port translation on the outside interface.

Seeing I am not using BGP and will be using policy routing when I bring the second ISP connection online is this a proper configuration, or should I look at something else?

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to Michael Couture

‎02-05-2012 03:26 PM

Michael,

I think that this should work.

Personally, I like putting all of the NAT stuff in one place, preferably on the firewall, but if you don't have a set of IPs from the ISP, or you own subnet that you can advertise via BGP, you'll have to do what you're doing.

Ken

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Michael Couture
Level 1
Level 1
In response to Ken Stieers

‎02-06-2012 04:53 AM

Thanks for your help and input. BGP may be down the road so I may change it around in the future where the NAT ends back up on the firewall.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card