Showing results for 
Search instead for 
Did you mean: 

ASA 5505 behind Router

Karsten Kemper

Hello togehter,

i have following setup at the moment:

Modem -> ASA 5505 -> LAN

where the ASA is on the

outside : DHCP configured, getting route and dns via DHCP, dynamic Wan IP

inside : ( dhcp server enabled for lan side connected clients )

A site-to-site VPN is configured ( dynamic to static IP ) on the ASA.

Everything is working fine.

Due to an ISP change the modem is getting replaced with a FritzBox Cable 6320 ( Router with integrated modem )

So the setup will look like this afterwards:

Router Fritzbox-> ASA 5505->LAN

where the desired IP's should look like this:

Fritzbox LAN -> ( dhcp server enabled for connected clients, here only the ASA )

ASA outside : DHCP configured, getting route and dns via DHCP

ASA inside : ( dhcp server enabled for lan side connected clients)

I am getting on the ASA outside an ip from the Fritzbox, including a correct route


outside : directly connected

inside : directly connected via outside

But i cannot interact from the ASA inside with the fritzbox, whereas i can ping from the CLI the

I honestly don't know where the problem is nor how to setup NAT and Routes and where, who needs to do natting and routing in the new setup

The relevant sections from the working config of the ASA



interface Ethernet0/0

switchport access vlan 2


interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute


----network objects

object network obj_any


object network VPN-SITE


object network


ACL and Cryptomap

access-list outside_cryptomap extended permit ip object object VPN-SITE

access-list inside_access_in extended permit ip any any


nat (inside,outside) source static destination static VPN-SITE VPN-SITE no-proxy-arp route-lookup


object network obj_any

nat (inside,outside) dynamic interface

I would be very thankful for schematic explanation or some useful links!

With kind regards

Karsten Kemper

3 Replies 3

Paul Heilmeier


are youe add the ASA inside IP as an route to Fritzbox, so the Fritzbox knows with which way they can reach the ASA?

If you are able to configure the, you could try to use the as an Modem, and use the PPPOE from ASA,

so the ASA gets direct an public IP on the outside interface.

Julio Carvajal
VIP Alumni
VIP Alumni



FIxup protocol ICMP

then test?

Rate all of the helpful posts!!!



Follow me on

Julio Carvajal
Senior Network Security and Core Specialist

Thank you for taking the time to answer, i did'nt see em due to landing into the spam folder=/

Yes the route on the FritzBox to the ASA was set.

The problem was that the FritzBox was doing some "parental control checks" on the clients connected behind the ASA. This traffic was blocked on the ASA which lead to the FritzBox blocking connections from these hosts.

With kind regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: