02-03-2012 06:36 PM - edited 03-11-2019 03:23 PM
Originally my network was set up with a Cisco ASA5505 at the edge and was configured for VPNs to connect the remote offices to the main office. As part of company expansion I am in the process of deploying a New Cisco 2921 router at the edge of the network to connect to our ISPs. I did not get the built in firewall module on the Cisco 2921, as I intend to connect the Cisco ASA5505 on the inside interface of the 2921 router to handle all the firewall filtering. I have routing configure properly and can get off the network and onto the internet. The problem is traffic from the internet cannot get on the network, for example email. I can send email but not receive. I assume this is an ACL issue but I have yet been unable to resolve it as of yet.
Do I keep the access lists on the firewall to permit SMTP and the other protocols that I need to flow through? Or do I move them to the edge router or are they supposed to exist on both the router and the firewall?
I have attempted to create an ACL on the Router to permit the allowed traffic and applied it to the internet facing interface in the IN direction but it does not work. Any suggestions, do I need to make changes to the router, the ASA, or both?
Or could this be a NAT issue I have not changed the NAT settings on the firewall yet. So right now I have NAT translations happening on the firewall and then again on the router.
Solved! Go to Solution.
02-03-2012 10:19 PM
The double nat is most likely your issue. Typically the network between the router and firewall is routable on the internet, so the router wouldnt be NATing at all. How is your internet service beig delivered to you?
Sent from Cisco Technical Support iPad App
02-03-2012 10:19 PM
The double nat is most likely your issue. Typically the network between the router and firewall is routable on the internet, so the router wouldnt be NATing at all. How is your internet service beig delivered to you?
Sent from Cisco Technical Support iPad App
02-04-2012 04:21 AM
Ken thank you for your response.
Right now I have a bonded T-1 delivered to the ISPs CSU/DSU on my site. That is then connected to my router via Ethernet. Before I added the router I just had a default route to the Default gateway on the ASA. I Now have the ISP connected to the router and will have a second ISP connected the router which is not online yet. I am not using BGP because our web server is hosted elsewhere and so I just planned to use Policy routing to direct the traffic between the two ISPs. We do host our own exchange and is on the inside of the network and not a DMZ.
So right now routing with the Router in place, I have EIGRP set up with a static route to get off the network and redistribute that route into my network. I have the ISP facing interfaces in a passive state.
Router
G0/0 (inside network to ASA) 172.20.10.9 /29
G0/1 ISP address
G0/2 Future ISP address
ASA
Outside interface 172.20.10.10/29
Inside Interface 172.20.20.6 /29
This then connects to my 3650 switches.
03-21-2012 11:25 AM
Mike,
How did you get this to work? When I tried this setup
Router
G0/1 (inside network to ASA) 10.16.1.100/24
G0/1 ISP
ASA
Outside interface 10.16.1.101/24
Inside interface 10.16.2.3/24
This coonects to 2960 switch
I get an error about overlaping subnets
03-21-2012 01:06 PM
David your issue sounds different than mine. My issue was with double NAT. Your issue sounds like it is with your IP addressing scheme. Look closely at your subnetting an make sure you don't have any overlap anywhere. I don't see an over lap in what you have listed, is this correct including subnet masks, do you have any other subnets in the network?
Plus I am sure this is a typo but you have G0/1 listed as ISP and to the ASA, Check you ports to make sure they are connected where they are suppose to be connected.
02-04-2012 05:30 PM
Ok I have everything working now, the problem was with NAT as you suggested. I have NAT on the Edge router only and no NAT on the ASA5505. You can let me know your opinion on that. What I did on the ASA is:
Remove these nat translations:
object network (xxx.xxx.xxx.xxx)
nat (inside,outside) static interface service tcp 3389 3389
object network (xxx.xxx.xxx.xxx)
nat (inside,outside) static interface service tcp smtp smtp
object network (xxx.xxx.xxx.xxx)
nat (inside,outside) static interface service tcp https https
object network (xxx.xxx.xxx.xxx)
nat (inside,outside) static interface service tcp 135 135
object network (xxx.xxx.xxx.xxx)
nat (inside,outside) static interface service tcp www www
object network obj_any
nat (inside,outside) dynamic interface
The only NAT statements left on the ASA are for the site-to-site VPNs
On the Edge Router I added:
IP nat inside source static tcp (xxx.xxx.xxx.xxx)smtp (xxx.xxx.xxx.xxx)smtp extendable
IP nat inside source static tcp (xxx.xxx.xxx.xxx)www (xxx.xxx.xxx.xxx)www extendable
IP nat inside source static tcp (xxx.xxx.xxx.xxx)https (xxx.xxx.xxx.xxx)https extendable
IP nat inside source static tcp (xxx.xxx.xxx.xxx)135 (xxx.xxx.xxx.xxx)135 extendable
IP nat inside source static tcp (xxx.xxx.xxx.xxx)3389 (xxx.xxx.xxx.xxx)3389 extendable
Plus a route map for Port translation on the outside interface.
Seeing I am not using BGP and will be using policy routing when I bring the second ISP connection online is this a proper configuration, or should I look at something else?
02-05-2012 03:26 PM
Michael,
I think that this should work.
Personally, I like putting all of the NAT stuff in one place, preferably on the firewall, but if you don't have a set of IPs from the ISP, or you own subnet that you can advertise via BGP, you'll have to do what you're doing.
Ken
Sent from Cisco Technical Support iPad App
02-06-2012 04:53 AM
Thanks for your help and input. BGP may be down the road so I may change it around in the future where the NAT ends back up on the firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide