Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
1
Helpful
5
Replies

Asa Config with NAT on external Firewall connected to outside inter

Melospawn
Level 1
Level 1

‎12-03-2023 08:12 AM

Hi,

I have the following setup and cannot ping from the Cisco ASA to any external IPs. 

I have a Firewall connected to Internet and my Cisco ASA outside interface to the Firewall via a transfer network. I do nat on the Firewall to allow an external public IP  to the internal Transfer zone. 

All IPs and networks been used  are fake.

So something like:

Outside interface ASA IP 192.168.20.2/24

Transfer zone on the Firewall IP 192.168.20.1/24

DNAT 1.1.1.1 to 192.168.20.2 (outside interface on the ASA)

I have a static route 0.0.0.0 0.0.0.0 192.168.20.1 on the ASA  that send all to the Firewall Transfer Zone.

I can ping from outside Internet via the FW to the ASA, internal ASA works but cannot ping from ASA to external, so the Cisco any connect when its about to stablish the tunnel fails

Attached is a schematic.

So I assume I need to do some NAT on the ASA side? Or should be able to ping external IPs without this?

 

Many thanks in advance.

C.

 

Labels:
Preview file
268 KB
0 Helpful
5 Replies 5

MHM Cisco World
VIP
VIP

‎12-03-2023 08:23 AM

Do you open port in FW?

What is tunnel face issue ssl or ipsec s2s ?

0 Helpful

Melospawn
Level 1
Level 1
In response to MHM Cisco World

‎12-03-2023 08:55 AM

Yes I did opened. It is IPsec.

I assume the issue is on the ASA since ping from outside to the ASA outside interface (using the DNAT on the FW) works but not from internal to external resources.

I will try tomorrow more things I found on internet but in theory the outside interface doesnt have to have a public IP , it can work behind a NAT or?

MHM Cisco World
VIP
VIP
In response to Melospawn

‎12-03-2023 09:00 AM

Hmm' maybe it is issue in NAT as you mention ipsec.

Please answer below Q 

You use ipsec' and you set peer in other device (Ipsec end) with public ip of fw not private ip of asa?

You use NAT 1:1?

You use PAT 1:1 ?

Did you open port udp 4500 ?

MHM 

0 Helpful

Melospawn
Level 1
Level 1
In response to MHM Cisco World

‎12-03-2023 09:09 AM

Hi

So I have so far defined no NAT or PAT on the Cisco ASA.

the external FW is not cisco. What I dont understand is why I can ping the outside ASA interface from external Internet and from the ASA itself I cannot ping any external Public IPS .

I would use this for Cisco Anyconnect users mainly. No Site to Site VPN needed.

For test I opened all ports from outside to inside based on a from IP of my ISP so only I (from work) can access it while I debug. But anyway is not working. Of course management ASMD, SSH and so are blocked on the outside uinterface

Thanks

Carmelo

0 Helpful

MHM Cisco World
VIP
VIP
In response to Melospawn

‎12-03-2023 09:14 AM

If your issue is only ping not IPsec (for IPsec I mention steps need to check above' and NAT Q I ask for is NAT config in FW not in ASA)

If for ping only then use 

Ping 

The  enter 

Then select outside interface as source of ping since it allows by FW

MHM

0 Helpful
Customers Also Viewed These Support Documents