11-21-2013 06:36 AM - edited 03-07-2019 04:43 PM
We are putting a Cisco 2611 in front of ASA 5510 to accept a DS3 circuit. After circuit activation, 2611 can get out to Internet, but both internal user and ASA cannot access Internet.
The design is as following
Internal user <-> ASA e0/1
ASA e0/0 <-> 2611 gi0/0
2611 s1/0 <-> Internet.
Internal user - ASA - 2611 - Internet
I'm not sure if I require additional NAT on 2611. Can someone please provide help on troubleshooting this?
ASA has following config:
int e0/0
desc to 2611
nameif ISP
security-level 0
ip address 10.10.10.2 255.255.255.252
!
int e0/1
desc to internal
nameif internal
security-level 50
ip address 192.168.1.0 255.255.255.0
!
global (ISP) 1 interface
nat (internal) 1 192.168.1.0 255.255.255.0
route ISP 0.0.0.0 0.0.0.0 10.10.10.1
!
2611 has following config:
int gi0/0
desc to ASA
ip address 10.10.10.1 255.255.255.252
!
int s1/0
desc to Internet
ip address x.x.x.x x.x.x.x
!
Thank you,
Solved! Go to Solution.
11-21-2013 09:32 AM
You won't need the static route to 192.168.1.0 on the router if you're natting from the ASA as 10.10.10.2 for all of your outbound traffic. Do you have static nats on the ASA for other services like web server, ftp, etc?
The other thing that I noticed was your nat line on the router looks incorrect:
ip nat inside source static 10.10.10.1 2.2.2.1 //2.2.2.1 being ISP
You're going to have to nat the 10.10.10.2 if you're only wanting to support that, which is the ASA.
I would just set 10.10.10.0/30 as a whole:
access-list 100 permit ip 10.10.10.0 0.0.0.3 any
ip nat inside source list 100 interface s1/0 overload
HTH,
John
*** Please rate all useful posts ***
11-21-2013 06:53 AM
Do you have a block of addresses? Generally, the provider will give you a block to put on the wan side and your other block that you've paid for will go on the Lan side. The ASA e0/0 will be configured to another public address and you can nat to it.
If not, there are a couple of things you could do. You could nat the complete 10.10.10.0/30 to the internet on the router which means now you're double natting.
Or you could not nat on the ASA and nat only on the router, but I'm not sure how many nat statements you have on the ASA to advise if this would even be a feasible option.
If you're thinking of the first option, it would look like:
192.168.1.0 ---> natted to 10.10.10.2 ---> 2611 nats 10.10.10.0/30 ---> WAN IP
The second option would look like:
192.168.1.0 ---> 10.10.10.2 ---> 2611 nats 192.168.1.0/24 ---> WAN IP
The first one has to nat the 10.x.x.x subnet because the ASA is natting the 192.x.x.x to a 10.10.10.2. The second one only needs to nat the 192.168.1.0/24 at the router because the 10.10.10.0/30 is directly connected. You'd also need a static route on the 2611 pointing 192.168.1.0 to 10.10.10.2.
HTH,
John
*** Please rate all useful posts ***
11-21-2013 09:14 AM
Thank you John,
The ISP only provided a /30 block, and we won't be able to do the second option you suggested. I configured nat on 2611 as following:
int gi 0/0
desc to ASA
ip address 10.10.10.1 255.255.255.252
ip nat inside
!
int s1/0
desc to Internet
ip address 2.2.2.2 255.255.255.252
ip nat outside
!
ip nat inside source static 10.10.10.1 2.2.2.1 //2.2.2.1 being ISP
!
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip route 192.168.1.0 255.255.255.0 10.10.10.2
!
ASA
int e0/0
desc to 2611
nameif ISP
security-level 0
ip address 10.10.10.2 255.255.255.252
!
int e0/1
desc to internal
nameif internal
security-level 50
ip address 192.168.1.0 255.255.255.0
!
global (ISP) 1 interface
nat (internal) 1 192.168.1.0 255.255.255.0
route ISP 0.0.0.0 0.0.0.0 10.10.10.1
Would this work?
Thank you,
Woo
11-21-2013 09:32 AM
You won't need the static route to 192.168.1.0 on the router if you're natting from the ASA as 10.10.10.2 for all of your outbound traffic. Do you have static nats on the ASA for other services like web server, ftp, etc?
The other thing that I noticed was your nat line on the router looks incorrect:
ip nat inside source static 10.10.10.1 2.2.2.1 //2.2.2.1 being ISP
You're going to have to nat the 10.10.10.2 if you're only wanting to support that, which is the ASA.
I would just set 10.10.10.0/30 as a whole:
access-list 100 permit ip 10.10.10.0 0.0.0.3 any
ip nat inside source list 100 interface s1/0 overload
HTH,
John
*** Please rate all useful posts ***
11-22-2013 01:05 PM
Sorry, I am a bit confused - you mentioned that I won't require NAT on the router since ASA already has NAT configured, but then you also mentioned that I need to correct ip nat statement on the router.
I am assuming that I should remove "ip nat inside" and "ip nat outside" from interface configuration, and add following config only?
access-list 100 permit ip 10.10.10.0 0.0.0.3 any
ip nat inside source list 100 interface s1/0 overload
Thank you,
Woo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide