Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1060
Views
3
Helpful
6
Replies

NAT - Router and ASA setup

chrismisztur
Level 1
Level 1

‎03-22-2007 09:39 AM - edited ‎03-05-2019 03:03 PM

I'm a little confused on how to set up NAT and where. My router has an ip of 1.1.1.1. My public IP range is 1.1.1.1 to 1.1.1.6 of usable IPs. At the current moment the router forwards the traffic to a hub and from there it goes into a device that is assigned one of my usable IPs.

I bought a ASA5505 and the scheme changes. I can either take one of my IPs and assign it to the OUTSIDE interface of the firewall and NAT inside the firewall or

NAT inside the router as well as inside the firewall...

Which is the recommended setup, what are the ramifications. Any other options that I am missing?

ASA interfaces:

0 -outside

1 -DMZ

2 -inside

4 -mgmt

Thank you for your help,

chris

Labels:
0 Helpful
6 Replies 6

m.matteson
Level 2
Level 2

‎03-22-2007 09:58 AM

You can set up NAT on either one i wouldn't really matter and it would still work. I would suggest configuration NAT on your ASA if you have the public ip addresses to spare on assigning them to the routing interfaces. Just have the router route and it will be a less headache for you later on in the future. hth.

chrismisztur
Level 1
Level 1
In response to m.matteson

‎03-22-2007 10:52 AM

Thanks, that was helpful.

So if my router's e0 IP is 1.1.1.1 then I can make the ASAs OUTSIDE int 1.1.1.2. How will the router know to forward traffic destined for 1.1.1.5 to the ASA Outside interface?

0 Helpful

m.matteson
Level 2
Level 2
In response to chrismisztur

‎03-22-2007 11:37 AM

is 1.1.1.5 the ip that you will use for nat?

0 Helpful

chrismisztur
Level 1
Level 1
In response to m.matteson

‎03-22-2007 12:56 PM

1.1.1.5 is the webserver (accessible from Internet). I will use 192.168.2.2 as the NATted address.

1.1.1.1 is the entry point to my network

1.1.1.2 is the Outside int on ASA

192.168.2.1 is the DMZ int on ASA (where webserver is hooked up)

I assigned a static(outside,dmz) 192.168.2.2 1.1.1.5 netmask 255.255.255.255 and static(dmz,static) 1.1.1.5 192.168.2.2 netmask 255.255.255.255

I changed the webserver TCP/IP to 192.168.2.2/255.255.255.0/gate 192.168.2.1

but my setup does not work.

0 Helpful

m.matteson
Level 2
Level 2
In response to chrismisztur

‎03-22-2007 01:02 PM

you have to add an ACL to the outside interface to permit the traffic to enter the interface and then be NAT'd.

http://www.cisco.com/warp/public/556/5.html

0 Helpful

chrismisztur
Level 1
Level 1
In response to m.matteson

‎03-22-2007 02:24 PM

So I tried using ACLs , statics, and PAT to get this to work, none seem to work.

When I try to ping 66.999.999.62 from the router it succeeds.

When I try to ping 66.999.999.58 (web server) from the router it fails.

It's like the router does not know that 66.999.999.58 is behind the 66.999.999.62 ASA OUTSIDE interface...!!!

Do I need to change the router config to make it aware that 66.999.999.62 (web server) is behind the ASA?

Preview file
4 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card