cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4650
Views
4
Helpful
16
Replies

ASA5505 & Cisco Router 3825 - Double NAT w/ Port Forward

Techi3Rebel
Beginner
Beginner

I have been brainstorming over this for a few days and need help. This is my Cisco LAB environment used for study but also in production for daily use. I am trying to setup a double-NAT network with just one IP from my ISP through the ASA & 3825 going to (2) end nodes and multiple ports for port forwarding. It is currently working but only as simple PAT and I cannot initiate FTP from the outside. I know some may suggest removing the router, but this is my study LAB and it's a bit unconventional for learning purposes. I attached the diagram and would really appreciate it if you could provide some pointers, tips, parts of the config. I have done quite a bit of reading on different forums but cannot seem to grasp the concept. Thank you…MK_Double_NAT.jpg

16 Replies 16

Did you get this resolved. I think I have a simular problem in that I have an internal webserver that tries to send its responses to the original external source address rather than the LAN address of our ASA. Because we dont have any default routes on our core switches though the packets are just dropped rather than sent to the internal LAN of the ASA.

stevenmcconnell
Beginner
Beginner

I have double NAT running and working great, here is pretty much my running config from my Router 2821 and ASA 5505.

My setup.

ISP ----> 2821 -----> ASA5505 ------> FTP Server

CISCO ROUTER 2821;            Gi0/0 (ISP)        Gi0/1 (10.10.10.1)

interface GigabitEthernet0/1

description LAN-Internal

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex full

speed 100

ip nat inside source static tcp 192.168.1.6 21 interface GigabitEthernet0/0 21

S     192.168.1.0/24 [1/0] via 10.10.10.5

CiSCO ASA 5505 (routed mode)        (eth0/0) 10.10.10.5    (eth0/1) 192.168.1.1

(eth0/1)

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

(eth0/0)

interface Vlan11

description OutsideConnection

nameif outside

security-level 0

ip address 10.10.10.5 255.255.255.0

object network FTPSERVER

host 192.168.1.6

access-list outside_access_in extended permit tcp any object FTPSERVER eq ftp log debugging

object network FTP

nat (inside,outside) static FTPSERVER service tcp ftp ftp

CISCO 2960 Layer 2 only with several Vlans

FTP SERVER

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers