cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
469
Views
0
Helpful
2
Replies

back to back firewall nat translation

Neil Haswell
Level 1
Level 1

I have a asa5525 and a cisco 887 router

i want to lab out a scenario where i can test the nat translations specially for ftp and www.

so i have a real external IP address where I telnet to port 80 for one webserver and port 21 to a differnet one

in the hope that the 887 will translate that to an ip in the 3750 which is then connected to the 5525 with another lan behind.

 

lets say my real external ip is 9.9.9.9 /30 the cisco887 is configured to  translate that inside.

 

ip nat inside source static tcp 8.8.8.1 23 interface Dialer1 21

ip nat inside source static tcp 8.8.8.2 80 interface Dialer1 80

 

then i have another vlan SVI network inside my 3750 layer 3 switch running eigrp of 8.8.8.0/29 which is my pretend address( i have actually used the ISP real address internally for testing purposed but it is not advertised outside)

so that means the outside interface of the 5525 is 8.8.8.1

internal interface is 10.1.1.1 /24

client is at 10.1.1.10 and 10.1.1.20

 

so i want to be able to telnet from the REAL internet on port 21 and hit 10.1.1.10 port 21 and hit 10.1.1.20 on port 80

So the translation to the actual interface of the outside of the 5525 works, but when i use another address in the 8.8.8.0/29 network it doesn't.

 

I have objects created in the ASA for the 8.8.8.1 and 8.8.8.2

 

Any ideas what sort of config i need on the 5525 to get this to accept a translation from something other than the outside interface.

i have firewall rules of any / any 

 

This is version 9.1

 

2 Replies 2

Reza Sharifi
Hall of Fame
Hall of Fame

How about if you assign a prefix-length to the public ip range

something like this:

ip nat pool test 8.8.8.0 8.8.8.8.6 prefix-length 3

ip nat inside source list 10 pool test

access-list 10 permit host 10.1.1.10 or 20

HTH

OK so it good to not skip parts of a FW build

I was having difficulty with HA replication and lost interest in getting that working so i moved onto the firewall rule part which was bailing out on me.

So i went back to the config and I couldnt work out why when i wrote the rule either in CLI or in the ASDM it didnt actually appear in the config.

It would appear that my lack of replication between the two firewalls was the issue .I was writing the config on the firewall that wasnt participating in dealing with the packets.

Once I have fixed the active active replication the issue went away and i could create rules and test well.

 

So the moral of the story is not to skip parts of a FW build out...

thanks for your suggestions..

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: