cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Traffic flow issues after deploying 2921 router in front of my ASA5505

Michael Couture
Beginner
Beginner

Originally my network was set up with a Cisco ASA5505 at the edge and was configured for VPNs to connect the remote offices to the main office. As part of company expansion I am in the process of deploying a New Cisco 2921 router at the edge of the network to connect to our ISPs. I did not get the built in firewall module on the Cisco 2921, as I intend to connect the Cisco ASA5505 on the inside interface of the 2921 router to handle all the firewall filtering. I have routing configure properly and can get off the network and onto the internet. The problem is traffic from the internet cannot get on the network, for example email. I can send email but not receive. I assume this is an ACL issue but I have yet been unable to resolve it as of yet.

Do I keep the access lists on the firewall to permit SMTP and the other protocols that I need to flow through? Or do I move them to the edge router or are they supposed to exist on both the router and the firewall?

I have attempted to create an ACL on the Router to permit the allowed traffic and applied it to the internet facing interface in the IN direction but it does not work. Any suggestions, do I need to make changes to the router, the ASA, or both?

Or could this be a NAT issue I have not changed the NAT settings on the firewall yet. So right now I have NAT translations happening on the firewall and then again on the router.

1 ACCEPTED SOLUTION

Accepted Solutions

Ken Stieers
VIP Advocate VIP Advocate
VIP Advocate

The double nat is most likely your issue. Typically the network between the router and firewall is routable on the internet, so the router wouldnt be NATing at all. How is your internet service beig delivered to you?

Sent from Cisco Technical Support iPad App

View solution in original post

7 REPLIES 7

Ken Stieers
VIP Advocate VIP Advocate
VIP Advocate

The double nat is most likely your issue. Typically the network between the router and firewall is routable on the internet, so the router wouldnt be NATing at all. How is your internet service beig delivered to you?

Sent from Cisco Technical Support iPad App

Ken thank you for your response.

Right now I have a bonded T-1 delivered to the ISPs CSU/DSU on my site. That is then connected to my router via Ethernet. Before I added the router I just had a default route to the Default gateway on the ASA. I Now have the ISP connected to the router and will have a second ISP connected the router which is not online yet. I am not using BGP because our web server is hosted elsewhere and so I just planned to use Policy routing to direct the traffic between the two ISPs. We do host our own exchange and is on the inside of the network and not a DMZ.

So right now routing with the Router in place, I have EIGRP set up with a static route to get off the network and redistribute that route into my network. I have the ISP facing interfaces in a passive state.

Router

G0/0 (inside network to ASA) 172.20.10.9 /29

G0/1 ISP address

G0/2 Future ISP address

ASA

Outside interface 172.20.10.10/29

Inside Interface 172.20.20.6 /29

This then connects to my 3650 switches.

Mike,

How did you get this to work? When I tried this setup

Router

G0/1 (inside network to ASA) 10.16.1.100/24

G0/1 ISP

ASA

Outside interface 10.16.1.101/24

Inside interface 10.16.2.3/24

This coonects to 2960 switch

I get an error about overlaping subnets