Solved: How to redirect traffic from router to firewall

Diego Maciel Gomes · ‎01-29-2014

Hello guys!!!

I need help with this issue... look:

We got a new IP block... just the block, it is not a new circuit, ok..

So, the ISP, routed the new block to my router... and now, I have the old circuit block and I have the new block...

on eth1, I have an IP in the old block... So, I configured a seconday IP in this eth with new block..

It is working great.. I can ping, ssh for both IPs...

The router is mine... and now, I need to pass this new block to my firewall ASA...

For example, if I try telnet 200.200.200.100 80 (range of new IP block) I need that it goes to my firewall ASA...

What I need to do in my router?

Thanks,

Diego

Jon Marshall · ‎01-29-2014

Diego

Assuming you want to do the NAT on the ASA you do not need a secondary address on eth1. You just add a route on your router eg. -

ip route

then you can simply use the new block for NAT. You do not need to assign any physical interfaces on either the router or the ASA for this new block you just need to make sure it is routed to your ASA outside interface. And as long as the ISP is routing the new block to the router outside interface (which you say they are) then it should all work fine.

Jon

View solution in original post

Jon Marshall · ‎01-29-2014

Diego

Is eth1 the interface used to connect to the ISP ?

If so what is the IP addressing used on the link from the router to the ASA ?

Where do you want to do the NAT for the new block ?

If it is on the ASA then you can't use a secondary IP on the eth1 interface assuming that is the interface connecting to the ISP.

Jon

Diego Maciel Gomes · ‎01-29-2014

Hello Jon, thanks for answer!

eth0 is the eth connected with the ISP, a /30 network...

eth1 is the eth with old block... /29

ASA has an IP inside the eth1 block (old block)

The next hop from ISP is to my Router... So, to reach the new block, ISP configured it to arrive in my router.. It is working, I can see it by traceroute and I configured an IP in the eth1 router's interface. It is working..

But, I need that this new block should be sent to firewall ASA... the new block and the old are designated to the same gateway...

I have the same thing configured in my other environment... but in that environment, the router is not mine, it is of the ISP, and they configured the new block to my ASA... I did not do anything... they just configured the router to send to ASA...

Jon Marshall · ‎01-29-2014

Diego

Assuming you want to do the NAT on the ASA you do not need a secondary address on eth1. You just add a route on your router eg. -

ip route

then you can simply use the new block for NAT. You do not need to assign any physical interfaces on either the router or the ASA for this new block you just need to make sure it is routed to your ASA outside interface. And as long as the ISP is routing the new block to the router outside interface (which you say they are) then it should all work fine.

Jon

Diego Maciel Gomes · ‎01-29-2014

Oh yeahhhh, great

I had configured the secondary IP, like I said.....

And I had configured a route, look:

ip route new_block 255.255.255.240 ASA_IP

And now, I removed the secondary IP (like you told me ) and now I can see all traffic to new block going to ASA...

Thanks a lot jon!!!

Just to understand... because I had configured that IP, the traffic of the block couldnt forward to the firewall?

and now, I have it on the router:

ip route 0.0.0.0 0.0.0.0 IP_/30_ISP

ip route new_block 255.255.255.240 ASA_IP

Thanks a lot Jon

Diego

Jon Marshall · ‎01-29-2014

Diego

Just to understand... because I had configured that IP, the traffic of the block couldnt forward to the firewall?

Pretty much yes, the router didn't forward the traffic because it thought it was local to the router so it ignored the route.

Glad to have helped.

Jon

Diego Maciel Gomes · ‎02-05-2014

Hello Jon,

One more question, pelase...

Is possible to enable ping to this new_block address?

When I try it shows TTL expired.. for all IPs that I forward from router to ASA...

NAT is working very well, but I wanted to enable ping...

I have the inspection on ASA... I have the icmp allowed in the ACL.... but I dont have any option to NAT the icmp to private network...

I already have the ICMP allowed in the Management Access!

Thanks again!

Diego

Diego Maciel Gomes · ‎02-05-2014

Hum... I noticed that when I create PAT, ping does not responding....

I create a real NAT (not PAT) and it started working...

But is possible to keep with PAT and allow ping?

Diego

Jon Marshall · ‎02-05-2014

Diego

Can you clarify where you are pinging from in relation to the firewall interfaces ?

Using a static NAT would make it work and you could then ping through the firewall but it's not entirely clear which way you want to ping.

Jon

Diego Maciel Gomes · ‎02-05-2014

Yeah, outside.. Im using static NAT...

But I think that because my version is older (8.2(2)12) I do not have the ICMP, just TCP and UDP to translate in the static NAT because I enable PAT and I need to set the ports, TCP or UDP...

I think the best way is configure a static NAT, without PAT, 1 to 1 and work with ACL... right?

Or, upgrade to newer version that comes with more features for NAT

Do you agree?