We help IT Professionals succeed at work.


salvatorepp asked
Medium Priority
Last Modified: 2012-05-11
Hi Experts,

A client has a web server that needs to be accessed from the internet.
Its internal IP is
The client connects to its ISP via a cisco router. Behind the router is a Cisco ASA 5505 Firewall (Security).
The ISP has given the client a public IP address block of 81.x.x.0/27.
I intend to NAT the public IP address of 81.x.x.5 to the internal IP address of the web server (
Natting is to be done on the Cisco Router.
I have some experience with Cisco Routers and firewalls, so i managed to set this up.
However, while the webserver is able to browse the internet, it cannot be accessed from the internet. I believe i must be doing something wrong.
I have attached the relevant aspects of the configurations of both the Cisco Router and ASA.I have also attached a Network diagram of my setup.
 Kindly help take a look at it to see what i am doing wrong.

Best Regards
Watch Question

Les MooreSr. Systems Engineer
Top Expert 2008

What you've provided looks like it should work, there is too much unknown in the rest of the configurations of both devices.
Is there a particular reason you have to double-nat on both the ASA and the router?
NAT configuration to be done once and I suppose at ASA only ....
Secondly this Web server is also a DNS Server ?
How you are trying to access the web content , is it IP based or host based ?


Hi guys,
The setup is now working as intended. However i have a few queries i'd like you to help clarify.

1. @ Irmoore - you mentioned double-nat above. what does this mean as i have only the ASA doing the NAT as it is the only device with public IP addressing. Or does the static command on the ASA constitute "double-nat? its only there for inbound access to dmz server from the internet. Kindly help clarify.
2. Assume i have users on the inside of the ASA that need to be able to reach the internet, will i have to put nat (inside)  and global (outside) commands on the ASA. or is the Router able to handle this with its present configuration?
3. Continuing from (2) above, what i mean is that i understand that traffic does not travel from lower security-levels to a higher security-level by default. So what would i need to configure on the ASA to enable inside users as well as the dmz server to reach the internet without including any NAT statements on the ASA.
Note that the attached is has not been applied yet......just my thoughts of how things should. Please do help check its okay or whether i need to get rid of my nat statements. Configs on the router remain unchanged.
I'd appreciate your responses to my above concerns. Because although it works now, i would like to understand the concept.
Sr. Systems Engineer
Top Expert 2008
Unlock this solution and get a sample of our free trial.
(No credit card required)
Les MooreSr. Systems Engineer
Top Expert 2008

Personally, I would get rid of the edge router and just use the ASA for all of it, and assign the public IP directly to the ASA. This will reduce the complexity of your design, remove a point of failure, and make troubleshooting much easier.


lrmoore, i guess you really nailed it. Exactly the sort of explanation i was looking for.
Regarding my statement of doing the NAT on the ASA, that was a slip. I meant to say that the router was doing the NAT.
BTW, since i did not have any nat (inside) or global (outside) statements on the ASA, why your reference to double-nat. Thats the only outstanding issue i need clarification on as it does not look like double-nat to me based on your recent explanation.


lrmoore, the only reason i have the router there in front of the firewall is this:

The client will be moving to BGP in the coming months. and i understand that for BGP peering , a router is required to connect to the ISP.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.