?
Solved

Cisco ASA NAT

Posted on 2011-04-21
7
Medium Priority
?
1,424 Views
Last Modified: 2012-05-11
Hi Experts,

A client has a web server that needs to be accessed from the internet.
Its internal IP is 192.168.100.5.
The client connects to its ISP via a cisco router. Behind the router is a Cisco ASA 5505 Firewall (Security).
The ISP has given the client a public IP address block of 81.x.x.0/27.
I intend to NAT the public IP address of 81.x.x.5 to the internal IP address of the web server (192.168.100.5).
Natting is to be done on the Cisco Router.
I have some experience with Cisco Routers and firewalls, so i managed to set this up.
However, while the webserver is able to browse the internet, it cannot be accessed from the internet. I believe i must be doing something wrong.
I have attached the relevant aspects of the configurations of both the Cisco Router and ASA.I have also attached a Network diagram of my setup.
 Kindly help take a look at it to see what i am doing wrong.


Best Regards
EE-question.txt
Visio-Network-Design.pdf
0
Comment
Question by:salvatorepp
  • 3
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 35445023
What you've provided looks like it should work, there is too much unknown in the rest of the configurations of both devices.
Is there a particular reason you have to double-nat on both the ASA and the router?
0
 

Expert Comment

by:tejjasdesai
ID: 35445177
NAT configuration to be done once and I suppose at ASA only ....
Secondly this Web server is also a DNS Server ?
How you are trying to access the web content , is it IP based or host based ?
0
 

Author Comment

by:salvatorepp
ID: 35446537
Hi guys,
The setup is now working as intended. However i have a few queries i'd like you to help clarify.

1. @ Irmoore - you mentioned double-nat above. what does this mean as i have only the ASA doing the NAT as it is the only device with public IP addressing. Or does the static command on the ASA constitute "double-nat? its only there for inbound access to dmz server from the internet. Kindly help clarify.
2. Assume i have users on the inside of the ASA that need to be able to reach the internet, will i have to put nat (inside)  and global (outside) commands on the ASA. or is the Router able to handle this with its present configuration?
3. Continuing from (2) above, what i mean is that i understand that traffic does not travel from lower security-levels to a higher security-level by default. So what would i need to configure on the ASA to enable inside users as well as the dmz server to reach the internet without including any NAT statements on the ASA.
Note that the attached is has not been applied yet......just my thoughts of how things should. Please do help check its okay or whether i need to get rid of my nat statements. Configs on the router remain unchanged.
I'd appreciate your responses to my above concerns. Because although it works now, i would like to understand the concept.
ASA5505-EEtxt.txt
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 35446743
1.  By double-nat I'm talking about you are natting on the router AND on the ASA
>as i have only the ASA doing the NAT as it is the only device with public IP addressing
But it looks like the router has the actual public IP addresses on it?? I'm confused..

Router looks like it is doing all the nat for you:
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.100.5 21 81.x.x.5 21 extendable

Add another static route to the inside subnet
   ip route 172.16.201.0 255.255.255.0 172.19.20.2

ASA:

static (DMZ,outside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 <- this effectively bypasses nat for all the DMZ hosts.

2.
nat (inside) 1 172.16.201.0 255.255.255.0 <- NO
global (outside) 1 interface <-- NO
 
YES:
static (inside,outside) 172.16.201.0 172.16.201.0 netmask 255.255.255.0
If you don't do this, and you keep the nat/global, then all of your internal hosts will get double-natted for sure.

3. <So what would i need to configure on the ASA to enable inside users as well as the dmz server to reach the internet without including any NAT statements on the ASA.?

You really need at least the static nat statements on the ASA that effectively nats back to its own real ip so the next hop router sees the real IP, and a route statement on the Router to know to route those real IP's back to the ASA.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35446749
Personally, I would get rid of the edge router and just use the ASA for all of it, and assign the public IP directly to the ASA. This will reduce the complexity of your design, remove a point of failure, and make troubleshooting much easier.
0
 

Author Closing Comment

by:salvatorepp
ID: 35446790
lrmoore, i guess you really nailed it. Exactly the sort of explanation i was looking for.
Regarding my statement of doing the NAT on the ASA, that was a slip. I meant to say that the router was doing the NAT.
BTW, since i did not have any nat (inside) or global (outside) statements on the ASA, why your reference to double-nat. Thats the only outstanding issue i need clarification on as it does not look like double-nat to me based on your recent explanation.
0
 

Author Comment

by:salvatorepp
ID: 35446804
lrmoore, the only reason i have the router there in front of the firewall is this:

The client will be moving to BGP in the coming months. and i understand that for BGP peering , a router is required to connect to the ISP.
0

Featured Post

How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question