02-21-2016 08:27 AM - edited 03-05-2019 03:23 AM
Trying to add ASA but I am running into a road block probably on NAT AND PAT issue. Router is internet accessible nat and pat on necessary interfaces. All instructions of setting up asa say I need to setup nat on the outside interface but is that the case when the router is doing that? Please help get this ASA accessible to the internet what am I doing wrong?
02-21-2016 07:42 PM
As a test what happens if you replace the ASA with a laptop set to the 10.165.200.226 address can that get Internet access? If so lets have a look at the ASA config
regards
Richard.
02-21-2016 08:56 PM
Richard,
I tried that test and I am unable to get Internet access. I can ping the internet interface but that's it.
02-21-2016 10:00 PM
On the router I don't see a route back to the 10.1.1.0 network
Ip route 10.1.1.0 255.255.255.0 10.165.200.226.
what is your ASA config you dont really need NAT on the ASA
02-21-2016 10:05 PM
Just noticed your router configuration does not match your diagram. the 10.1.1.0 network on interface gi0/1, so where does the ASA come into the picture, is the gateway for the 10.1.1.0 network the ASA or the router?
02-21-2016 11:05 PM
02-21-2016 07:52 PM
Hello Spacecage,
Are you nat-ing with what public address?. What I am trying to say is, nat configuration in the ASA is refrencing a pool of public addresses or any specific interfaces?
What I see is a possibility that end users are not even getting nat'ed.
02-21-2016 09:01 PM
No, I'm not using nat with a public IP, but I saying when I set the router up for internet I recall setting up nat on the routers outside interface g0/0 and wondered if I was setting up nat on the asa that it would conflict.
02-21-2016 09:56 PM
Double NAT is not a recommended practice since it can lead to some port forwarding confusions.
However, it seems that the main issue is not with the ASA since as said in your last comment, you have been able to ping the Internet interface only with a laptop connecting to Gi 0/1. Do you mean that you are able to only ping the router's Gi 0/0 or the actual Interface address which is connected to said interface?
Does the router can ping internet addresses by itself? (No ping from the nat'd laptop).
02-21-2016 10:57 PM
I was able to ping g0/0 from g0/2 interface that I was connected to via laptop.
02-22-2016 05:22 AM
Can you at least reach internet from Router's Gi 0/0 ?
Can you test the same ping sourced from router's Gi 0/1?
Regards!
02-22-2016 06:17 AM
Yes, I can get to the internet when connected by the switch to the router through interface gi0/0. When I connect in router g0/1 I am able to ping past the g0/0 interface. When connected to g0/2 I am not able to ping past g0/0.
02-22-2016 10:43 AM
Hello Spacecage,
Do you want to nat network 10.165.200.0/24 to the IP-address from interface GigabitEthernet0/0? If that's the case you need to configure ip nat inside on interface GigabitEthernet 0/2.
And when you connect the switch (network 10.1.1.0/24) to the firewall you need a static route on the router as well: ip route 10.1.1.0 255.255.255.0 10.165.200.226
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide