09-10-2010 12:18 AM - edited 03-04-2019 09:43 AM
Would someone be able to guide me in the right direction, we have a client who wishes to use 2 x Cisco ASA 5510 Firewalls in a two tier setup.
The internet goes live on the site on Monday and I would really appreciate some help with NATing from a Public IP to the Internal Exchange Server as we need to go across two firewalls.
I have been reading up on this over the last few days, but cannot seem to find any real information about my scenario. Would I be looking at using Static NAT with Route Maps or Policy NAT?
We have implemented EIGRP Routing Protocol on:
- 0.0.100.0/24
- 0.0.230/0.24
As this is in a test environment, I have applied Access Lists to the Outside and Inside Interfaces which allow ICMP Any Any and IP Any Any. These will be locked down when I get the NAT working.
Any help or guidance would really be appreciated.
Solved! Go to Solution.
09-10-2010 12:08 PM
Craig
No problem with the questions.
1) you statics eg -
static (inside,outside) 109.174.146.146 192.168.100.252 netmask 255.255.255.255 <-- Internet Facing Firewall
static (inside,outside) 192.168.100.252 10.137.230.20 netmask 255.255.255.255 <-- LAN Firewall
yes this would work fine. if you want to present your internal 10.137.230.x addresses as 192.168.100.x addressing in the DMZ. I have done a 2 tier setup before and we just presented the internal addresses as themselves to the DMZ ie. see my previous post, but there is no problem doing what you are doing.
2) VPN - Depends on where you are Natting the internal clients going outbound to the internet. If you aren't natting source IPs on the internal firewall going outbound then i can't see that you would need to do NAT exemption on that firewall. You only need NAT exemption where the IPs would be changed.
Jon
09-10-2010 01:29 AM
craigie1977 wrote:
Would someone be able to guide me in the right direction, we have a client who wishes to use 2 x Cisco ASA 5510 Firewalls in a two tier setup.
The internet goes live on the site on Monday and I would really appreciate some help with NATing from a Public IP to the Internal Exchange Server as we need to go across two firewalls.
Below is a sample of the network:
I have been reading up on this over the last few days, but cannot seem to find any real information about my scenario. Would I be looking at using Static NAT with Route Maps or Policy NAT?
We have implemented EIGRP Routing Protocol on:
- 192.168.100.0/24
- 10.137.230/0.24
As this is in a test environment, I have applied Access Lists to the Outside and Inside Interfaces which allow ICMP Any Any and IP Any Any. These will be locked down when I get the NAT working.
Any help or guidance would really be appreciated.
Craig
If i understand your question then you don't need policy NAT you simply add a NAT rule to each ASA ie.
static (inside,outside)
static (inside,outside)
Jon
09-10-2010 08:17 AM
Thanks Joe, can I just confirm the following please:
Sorry for all the questions, but normally we install a couple of ASA's in Active/Passive failover with VPN site to site links, DMZ, etc but this is something that I haven't tackled before.
09-10-2010 12:08 PM
Craig
No problem with the questions.
1) you statics eg -
static (inside,outside) 109.174.146.146 192.168.100.252 netmask 255.255.255.255 <-- Internet Facing Firewall
static (inside,outside) 192.168.100.252 10.137.230.20 netmask 255.255.255.255 <-- LAN Firewall
yes this would work fine. if you want to present your internal 10.137.230.x addresses as 192.168.100.x addressing in the DMZ. I have done a 2 tier setup before and we just presented the internal addresses as themselves to the DMZ ie. see my previous post, but there is no problem doing what you are doing.
2) VPN - Depends on where you are Natting the internal clients going outbound to the internet. If you aren't natting source IPs on the internal firewall going outbound then i can't see that you would need to do NAT exemption on that firewall. You only need NAT exemption where the IPs would be changed.
Jon
09-10-2010 12:58 PM
Thanks for the answer mate, much appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide