Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4407
Views
0
Helpful
9
Replies

How to redirect traffic from router to firewall

Go to solution
Diego Maciel Gomes
Level 1
Level 1

‎01-29-2014 07:07 AM - edited ‎03-04-2019 10:11 PM

Hello guys!!!

I need help with this issue... look:

We got a new IP block... just the block, it is not a new circuit, ok..

So, the ISP, routed the new block to my router... and now, I have the old circuit block and I have the new block...

on eth1, I have an IP in the old block... So, I configured a seconday IP in this eth with new block..

It is working great.. I can ping, ssh for both IPs...

The router is mine... and now, I need to pass this new block to my firewall ASA...

For example, if I try telnet 200.200.200.100 80 (range of new IP block) I need that it goes to my firewall ASA...

What I need to do in my router?

Thanks,

Diego

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Diego Maciel Gomes

‎01-29-2014 07:43 AM

Diego

Assuming you want to do the NAT on the ASA you do not need a secondary address on eth1. You just add a route on your router eg. -

ip route

then you can simply use the new block for NAT. You do not need to assign any physical interfaces on either the router or the ASA for this new block you just need to make sure it is routed to your ASA outside interface.  And as long as the ISP is routing the new block to the router outside interface (which you say they are) then it should all work fine.

Jon

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-29-2014 07:17 AM

Diego

Is eth1 the interface used to connect to the ISP ?

If so what is the IP addressing used on the link from the router to the ASA ?

Where do you want to do the NAT for the new block ?

If it is on the ASA then you can't use a secondary IP on the eth1 interface assuming that is the interface connecting to the ISP.

Jon

0 Helpful

Go to solution
Diego Maciel Gomes
Level 1
Level 1
In response to Jon Marshall

‎01-29-2014 07:37 AM

Hello Jon, thanks for answer!

eth0 is the eth connected with the ISP, a /30 network...

eth1 is the eth with old block... /29

ASA has an IP inside the eth1 block (old block)

The next hop from ISP is to my Router... So, to reach the new block, ISP configured it to arrive in my router.. It is working, I can see it by traceroute and I configured an IP in the eth1 router's interface. It is working..

But, I need that this new block should be sent to firewall ASA... the new block and the old are designated to the same gateway...

I have the same thing configured in my other environment... but in that environment, the router is not mine, it is of the ISP, and they configured the new block to my ASA... I did not do anything... they just configured the router to send to ASA...

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Diego Maciel Gomes

‎01-29-2014 07:43 AM

Diego

Assuming you want to do the NAT on the ASA you do not need a secondary address on eth1. You just add a route on your router eg. -

ip route

then you can simply use the new block for NAT. You do not need to assign any physical interfaces on either the router or the ASA for this new block you just need to make sure it is routed to your ASA outside interface.  And as long as the ISP is routing the new block to the router outside interface (which you say they are) then it should all work fine.

Jon

0 Helpful

Go to solution
Diego Maciel Gomes
Level 1
Level 1
In response to Jon Marshall

‎01-29-2014 07:58 AM

Oh yeahhhh, great

I had configured the secondary IP, like I said.....

And I had configured a route, look:

ip route new_block 255.255.255.240 ASA_IP

And now, I removed the secondary IP (like you told me ) and now I can see all traffic to new block going to ASA...

Thanks a lot jon!!!

Just to understand... because I had configured that IP, the traffic of the block couldnt forward to the firewall?

and now, I have it on the router:

ip route 0.0.0.0 0.0.0.0 IP_/30_ISP

ip route new_block 255.255.255.240 ASA_IP

Thanks a lot Jon

Diego

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Diego Maciel Gomes

‎01-29-2014 08:02 AM

Diego

Just to understand... because I had configured that IP, the traffic of the block couldnt forward to the firewall?

Pretty much yes, the router didn't forward the traffic because it thought it was local to the router so it ignored the route.

Glad to have helped.

Jon

0 Helpful

Go to solution
Diego Maciel Gomes
Level 1
Level 1
In response to Jon Marshall

‎02-05-2014 04:23 PM

Hello Jon,

One more question, pelase...

Is possible to enable ping to this new_block address?

When I try it shows TTL expired.. for all IPs that I forward from router to ASA...

NAT is working very well, but I wanted to enable ping...

I have the inspection on ASA... I have the icmp allowed in the ACL.... but I dont have any option to NAT the icmp to private network...

I already have the ICMP allowed in the Management Access!

Thanks again!

Diego

0 Helpful

Go to solution
Diego Maciel Gomes
Level 1
Level 1
In response to Diego Maciel Gomes

‎02-05-2014 04:29 PM

Hum... I noticed that when I create PAT, ping does not responding....

I create a real NAT (not PAT) and it started working...

But is possible to keep with PAT and allow ping?

Diego

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Diego Maciel Gomes

‎02-05-2014 04:32 PM

Diego

Can you clarify where you are pinging from in relation to the firewall interfaces ?

Using a static NAT would make it work and you could then ping through the firewall but it's not entirely clear which way you want to ping.

Jon      

0 Helpful

Go to solution
Diego Maciel Gomes
Level 1
Level 1
In response to Jon Marshall

‎02-05-2014 04:40 PM

Yeah, outside.. Im using static NAT...

But I think that because my version is older (8.2(2)12) I do not have the ICMP, just TCP and UDP to translate in the static NAT because I enable PAT and I need to set the ports, TCP or UDP...

I think the best way is configure a static NAT, without PAT, 1 to 1 and work with ACL... right?

Or, upgrade to newer version that comes with more features for NAT

Do you agree?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card