Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
600
Views
5
Helpful
3
Replies

Router with Firewall NAT question

Go to solution
scott.bridges
Level 1
Level 1

‎01-14-2015 02:54 PM - edited ‎03-05-2019 12:33 AM

Hello,

Attached is a rough drawing of the topology I'm asking about.

Dark cloud is ISP, Bridge looking device is Cable Modem acting in Bridged mode.  Router's Fa0/0 (1800 Rtr) is getting my residential IP from ISP via DHCP.

Will I need to NAT on the Firewall?  If not, what would the configuration look like concerning transit traffic from inside to outside?  My goal is just for the Router to be a bump in the wire that reports Netflow to a device in the LAN.  All my separate subnets and security will be done on the ASA.

 

Any advice is appreciated.

Labels:
Preview file
17 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to scott.bridges

‎01-14-2015 06:59 PM

You can keep the /30 if you want to run the firewall in routed mode. You can also run the firewall in layer-2 (transparent) mode and use one ip in the 192.168.8.0/24 subnet for both inside and outside with 2 different vlans.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/fwmode.html

HTH

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎01-14-2015 05:45 PM

Hi,

Looking at your diagram it appears the firewall does not have any public IPs.  If you want the firewall to do the NAT for you the outside interface of it needs to have a public IP, if not you can NAT on the router.

HTH

Go to solution
scott.bridges
Level 1
Level 1
In response to Reza Sharifi

‎01-14-2015 06:15 PM

Reza,

Thanks for the tip.

After some Google'ing, looks like I can apply the following config on the router:

access-list 1 permit 192.168.8.0 255.255.255.0
ip nat inside source list 1 FastEthernet0/0 overload
interface FastEthernet0/1
 ip nat inside
interface FastEthernet0/0
 ip nat outside

Now the question is:  Do I keep the current /30 between the Router/ASA, or does that need to be in the LAN /24?

Thanks again

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to scott.bridges

‎01-14-2015 06:59 PM

You can keep the /30 if you want to run the firewall in routed mode. You can also run the firewall in layer-2 (transparent) mode and use one ip in the 192.168.8.0/24 subnet for both inside and outside with 2 different vlans.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/fwmode.html

HTH

 

 

0 Helpful
Customers Also Viewed These Support Documents