Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6222
Views
4
Helpful
16
Replies

ASA5505 & Cisco Router 3825 - Double NAT w/ Port Forward

Techi3Rebel
Level 1
Level 1

‎04-27-2013 06:07 AM - edited ‎03-04-2019 07:44 PM

I have been brainstorming over this for a few days and need help. This is my Cisco LAB environment used for study but also in production for daily use. I am trying to setup a double-NAT network with just one IP from my ISP through the ASA & 3825 going to (2) end nodes and multiple ports for port forwarding. It is currently working but only as simple PAT and I cannot initiate FTP from the outside. I know some may suggest removing the router, but this is my study LAB and it's a bit unconventional for learning purposes. I attached the diagram and would really appreciate it if you could provide some pointers, tips, parts of the config. I have done quite a bit of reading on different forums but cannot seem to grasp the concept. Thank you…MK_Double_NAT.jpg

Labels:
Preview file
110 KB
0 Helpful
16 Replies 16

Chris McCann
Level 1
Level 1
In response to Techi3Rebel

‎01-23-2014 05:56 AM

Did you get this resolved. I think I have a simular problem in that I have an internal webserver that tries to send its responses to the original external source address rather than the LAN address of our ASA. Because we dont have any default routes on our core switches though the packets are just dropped rather than sent to the internal LAN of the ASA.

0 Helpful

stevenmcconnell
Level 1
Level 1

‎01-23-2014 12:39 PM

I have double NAT running and working great, here is pretty much my running config from my Router 2821 and ASA 5505.

My setup.

ISP ----> 2821 -----> ASA5505 ------> FTP Server

CISCO ROUTER 2821;            Gi0/0 (ISP)        Gi0/1 (10.10.10.1)

interface GigabitEthernet0/1

description LAN-Internal

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex full

speed 100

ip nat inside source static tcp 192.168.1.6 21 interface GigabitEthernet0/0 21

S     192.168.1.0/24 [1/0] via 10.10.10.5

CiSCO ASA 5505 (routed mode)        (eth0/0) 10.10.10.5    (eth0/1) 192.168.1.1

(eth0/1)

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

(eth0/0)

interface Vlan11

description OutsideConnection

nameif outside

security-level 0

ip address 10.10.10.5 255.255.255.0

object network FTPSERVER

host 192.168.1.6

access-list outside_access_in extended permit tcp any object FTPSERVER eq ftp log debugging

object network FTP

nat (inside,outside) static FTPSERVER service tcp ftp ftp

CISCO 2960 Layer 2 only with several Vlans

FTP SERVER

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card