Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
183
Views
0
Helpful
1
Replies

DMZ Server not getting connection using CISCO Router

zhd27
Level 1
Level 1

‎12-06-2025 11:11 PM - edited ‎12-09-2025 08:12 AM

Network scenario: ISP>CISCO Router> CISCO FTD > Core SW >Access SW > Server

we have two public ip like 203.76.64.16/28 and like 203.76.64.64/26 here only 203.76.64.19 is my end and also 203.76.64.64/26 is used for only one to one NAT in FTD for my few server . if i use below command After configuration not getting server
ip access-list extended AGNI-ISP
permit ip 192.168.0.0 0.0.255.255 any
permit ip 172.16.0.0 0.0.255.255 any

But if i use

ip access-list extended AGNI-ISP
permit ip any any --Then getting server but server one to one NAT IP has been changed to 203.76.64.23 where it should be 203.76.64.105 which is NATed in FTD. Similar for all servers.
Note: when not getting that time i traceroute from server getting drop 192.168.222.3 which is my router interface gi0/4 and ftd end ip is 192.168.222.4.

Here is my confiuration:

================

ASA-CORE-RTR-PRIMARY#sh run
Building configuration...

Current configuration : 6869 bytes
!
! Last configuration change at 06:35:46 GMT Sat Dec 6 2025 by ASA
! NVRAM config last updated at 05:09:10 GMT Sat Dec 6 2025 by ASA
!
version 16.5
service timestamps debug datetime msec
service timestamps log datetime msec
service unsupported-transceiver
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ASA-CORE-RTR-PRIMARY
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret xxxxxxxxxxxxxxxx
!
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
!
!
!
!
aaa session-id common
clock timezone GMT 6 0
!
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8

ip domain name xxxxx.gov.org
!
!
!
!
subscriber templating
!
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2154142235
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2154142235
revocation-check none
rsakeypair TP-self-signed-2154142235
!
!
crypto pki certificate chain TP-self-signed-2154142235
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313534 31343232 3335301E 170D3137 31313130 30333532
33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31353431
34323233 35308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100F03E 2B47D0C4 67BC8C2E C0477753 6636073B 0AB33E94 DAA06DFA
079C2240 B100849D 74D74300 ED25A121 EBE44BD5 F7E4E60B B406BF5E C80A7ABA
E7F0E2B2 72472C97 7EEE7F9D 40674B99 56FECAF1 31A1D356 365578D6 E020268C
E78C5F9C 5F94D733 FB06F79C 1F5DA97B 6C1F7D55 F2B63D94 FD793289 7AC11054
E70773B0 CE53A90E B1213762 941A9889 95CA41CE 1C82C626 BBAE5E98 C40140DA
5E8C455D BCD12DD5 24B742FB 0A984338 B4458A1F F526DC48 D70FB410 00E88D29
3E7A4757 32AC0621 1E977311 C8810EE8 89C5B5E1 1C230E0A 9828B8E2 9C0092F8
CA23E706 119D049D 00396DF4 08CA3177 1C14C840 C5DCB56B D9A11592 2772A348
8987F4A0 C9970203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 143BB95F B6DB81C3 2C769284 1B898670 A505EB71
35301D06 03551D0E 04160414 3BB95FB6 DB81C32C 7692841B 898670A5 05EB7135
300D0609 2A864886 F70D0101 05050003 82010100 13E675C4 041FB033 FA4A1C7C
51F63781 8CCC87B4 FFC856AA 0BC4B628 C7DAF039 FCBBE18C 7E491840 A19124B8
224E2421 1447FF3E 62710C9D 9758B545 9F97CC52 2807795E C7020078 F8268866
FA1D60EF DBC59CC2 FBE07B7A 0D8E1E23 DCCA04C4 11343AF3 84A5826F 786578DC
B3C0E1D7 1D8D621A 8A67561A 70A5EA9F DF1E33C0 1D404D7F AABA1C8A D2097062
0F3E210A D5234C7A E02D784D BB0FA45C 04015308 28D0E7DB 173A17E6 4D031088
877F8D60 DF4CC19A 3B194ED1 B5B83E8D EDC42209 2C1E78F4 8F10EAAA 35A3062C
3DF08B1C 4216F892 CBA3BDA9 5BE13A35 8A6C2524 DFF6390C 9F5F624F 9BDF5C21
659BE462 D5A59331 72DA3F2D D32D1F21 B4D62E1C
quit
!
license udi pid ASR1001-X sn JAE21390HM9
archive
path tftp://172.16.1.64/Backup-$h
write-memory
!
spanning-tree extend system-id
diagnostic bootup level minimal
!
!
username ASA privilege 15 secret xxxxxxxxxxxxxxxxxxx
username xxxxx password 0 xxxxxxxxxxxxx
!
redundancy
mode none
!
!
!
!
!
cdp run
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface TenGigabitEthernet0/0/0
ip address 172.16.10.1 255.255.255.0
shutdown
!
interface TenGigabitEthernet0/0/1
no ip address
shutdown
!
interface GigabitEthernet0/0/0
description ***CONNECTED-TO-BTCL-ISP***
ip address 203.76.65.3 255.255.255.240
ip nat outside
shutdown
negotiation auto
cdp enable
!
interface GigabitEthernet0/0/1
description ***CONNECTED-TO-LINK-3-ISP***
ip address 203.76.64.19 255.255.255.240
ip nat outside
negotiation auto
cdp enable
!
interface GigabitEthernet0/0/2
description ***CONNECTED TO WG-1 GIG0/1 TO ESTABLISH CONNECTIVITY TO FW***
ip address 192.168.111.9 255.255.255.252
ip nat inside
negotiation auto
cdp enable
no mop enabled
!
interface GigabitEthernet0/0/3
description to_sec_firewall_port4
no ip address
negotiation auto
cdp enable
service instance 100 ethernet
encapsulation untagged
bridge-domain 100
!
!
interface GigabitEthernet0/0/4
description ***CONNECTED TO WG-1 eth4 TO ESTABLISH CONNECTIVITY TO FW***
ip address 192.168.222.3 255.255.255.248
ip nat inside
negotiation auto
cdp enable
!
interface GigabitEthernet0/0/5
description ***TO-WG1-1/0/4-TO-FORTINET***
ip address 10.10.10.2 255.255.255.248
ip nat inside
negotiation auto
cdp enable
!
interface GigabitEthernet0
description "MGMT"
vrf forwarding Mgmt-intf
ip address 192.168.200.229 255.255.255.0
negotiation auto
!
interface BDI100
description ***CONNECTED TO WG-1 eth4 TO ESTABLISH CONNECTIVITY TO FW***
no ip address
ip nat inside
ip policy route-map ASA-LAN
shutdown
cdp enable
!
ip nat translation timeout 300
ip nat translation tcp-timeout 14400
ip nat translation udp-timeout 30
ip nat translation finrst-timeout 30
ip nat translation syn-timeout 30
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 30
ip nat pool AGNI-POOL 203.76.64.23 203.76.64.25 netmask 255.255.255.240
ip nat inside source list AGNI-ISP pool AGNI-POOL overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip dns server
ip route 0.0.0.0 0.0.0.0 203.76.64.17
ip route 4.2.2.2 255.255.255.255 203.76.64.17
ip route 72.163.4.185 255.255.255.255 203.76.64.17
ip route 203.76.64.64 255.255.255.192 192.168.222.4
ip route 203.76.64.128 255.255.255.248 192.168.222.4
ip route 172.16.1.0 255.255.255.0 192.168.222.4
ip route 172.16.2.0 255.255.255.0 192.168.222.4
ip route 172.16.3.0 255.255.255.0 10.10.10.4
ip route 172.16.7.0 255.255.255.0 192.168.111.4
ip route 172.16.8.0 255.255.255.0 192.168.111.4
ip route 172.16.11.0 255.255.255.0 192.168.111.4
ip route 192.168.0.0 255.255.0.0 192.168.222.4
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 192.168.200.1
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list extended AGNI-ISP
permit ip 192.168.0.0 0.0.255.255 any
permit ip 172.16.0.0 0.0.255.255 any
!
!
!
snmp-server community xxxxxxxxx RW
snmp-server enable traps config
snmp-server enable traps diameter
snmp-server host 172.16.1.44 version 2c xxxxxxxxxxxx
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
logging synchronous
transport input ssh
transport output ssh
line vty 5 15
logging synchronous
transport input ssh
transport output ssh
!
no network-clock synchronization automatic
ntp master 2
!
!
!
!
!
end

ASA-CORE-RTR-PRIMARY#
Note: My intention is all traffic will be natted except server's ip and server ip 172.16.3.0/24.

Labels:
0 Helpful
1 Reply 1

Thomasanderson33
Level 1
Level 1

‎12-13-2025 03:32 AM

The issue is happening because your NAT ACL is matching internal subnets too broadly, so when you permit only specific RFC1918 ranges, traffic destined for the FTD one-to-one NAT pool isn’t matching correctly and gets dropped at Gi0/4. When you allow permit ip any any, NAT works, but overloads from the wrong pool, causing public IPs to shift. To fix this, explicitly deny the server subnet (172.16.3.0/24) at the top of the NAT ACL, then permit the remaining internal networks. This ensures server traffic bypasses NAT while all other traffic is translated correctly and reaches the FTD as intended.

0 Helpful
Customers Also Viewed These Support Documents