cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3339
Views
0
Helpful
4
Replies

NAT Across Two ASA 5510 Firewalls

craigie1977
Level 1
Level 1

Would someone be able to guide me in the right direction, we have a client who wishes to use 2 x Cisco ASA 5510 Firewalls in a two tier setup.

The internet goes live on the site on Monday and I would really appreciate some help with NATing from a Public IP to the Internal Exchange Server as we need to go across two firewalls.

I have been reading up on this over the last few days, but cannot seem to find any real information about my scenario.  Would I be looking at using Static NAT with Route Maps or Policy NAT?

We have implemented EIGRP Routing Protocol on:

- 0.0.100.0/24

- 0.0.230/0.24

As this is in a test environment, I have applied Access Lists to the Outside and Inside Interfaces which allow ICMP Any Any and IP Any Any.  These will be locked down when I get the NAT working.

Any help or guidance would really be appreciated.

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Craig

No problem with the questions.

1) you statics eg -

static (inside,outside) 109.174.146.146 192.168.100.252 netmask 255.255.255.255 <-- Internet Facing Firewall

static (inside,outside) 192.168.100.252 10.137.230.20 netmask 255.255.255.255 <-- LAN Firewall

yes this would work fine. if you want to present your internal 10.137.230.x addresses as 192.168.100.x addressing in the DMZ. I have done a 2 tier setup before and we just presented the internal addresses as themselves to the DMZ ie. see my previous post, but there is no problem doing what you are doing.

2) VPN -  Depends on where you are Natting the internal clients going outbound to the internet. If you aren't natting source IPs on the internal firewall going outbound then i can't see that you would need to do NAT exemption on that firewall. You only need NAT exemption where the IPs would be changed.

Jon

View solution in original post

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

craigie1977 wrote:

Would someone be able to guide me in the right direction, we have a client who wishes to use 2 x Cisco ASA 5510 Firewalls in a two tier setup.

The internet goes live on the site on Monday and I would really appreciate some help with NATing from a Public IP to the Internal Exchange Server as we need to go across two firewalls.

Below is a sample of the network:

I have been reading up on this over the last few days, but cannot seem to find any real information about my scenario.  Would I be looking at using Static NAT with Route Maps or Policy NAT?

We have implemented EIGRP Routing Protocol on:

- 192.168.100.0/24

- 10.137.230/0.24

As this is in a test environment, I have applied Access Lists to the Outside and Inside Interfaces which allow ICMP Any Any and IP Any Any.  These will be locked down when I get the NAT working.

Any help or guidance would really be appreciated.


Craig

If i understand your question then you don't need policy NAT you simply add a NAT rule to each ASA ie.

static (inside,outside) netmask 255.255.255.255 <-- this goes on the internet facing firewall

static (inside,outside) netmask 255.255.255.255 <-- this on the inside firewall

Jon

Thanks Joe, can I just confirm the following please:

Sorry for all the questions, but normally we install a couple of ASA's in Active/Passive failover with VPN site to site links, DMZ, etc but this is something that I haven't tackled before.

Jon Marshall
Hall of Fame
Hall of Fame

Craig

No problem with the questions.

1) you statics eg -

static (inside,outside) 109.174.146.146 192.168.100.252 netmask 255.255.255.255 <-- Internet Facing Firewall

static (inside,outside) 192.168.100.252 10.137.230.20 netmask 255.255.255.255 <-- LAN Firewall

yes this would work fine. if you want to present your internal 10.137.230.x addresses as 192.168.100.x addressing in the DMZ. I have done a 2 tier setup before and we just presented the internal addresses as themselves to the DMZ ie. see my previous post, but there is no problem doing what you are doing.

2) VPN -  Depends on where you are Natting the internal clients going outbound to the internet. If you aren't natting source IPs on the internal firewall going outbound then i can't see that you would need to do NAT exemption on that firewall. You only need NAT exemption where the IPs would be changed.

Jon

Thanks for the answer mate, much appreciated.

Review Cisco Networking for a $25 gift card