• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1445
  • Last Modified:

Cisco ASA NAT

Hi Experts,

A client has a web server that needs to be accessed from the internet.
Its internal IP is 192.168.100.5.
The client connects to its ISP via a cisco router. Behind the router is a Cisco ASA 5505 Firewall (Security).
The ISP has given the client a public IP address block of 81.x.x.0/27.
I intend to NAT the public IP address of 81.x.x.5 to the internal IP address of the web server (192.168.100.5).
Natting is to be done on the Cisco Router.
I have some experience with Cisco Routers and firewalls, so i managed to set this up.
However, while the webserver is able to browse the internet, it cannot be accessed from the internet. I believe i must be doing something wrong.
I have attached the relevant aspects of the configurations of both the Cisco Router and ASA.I have also attached a Network diagram of my setup.
 Kindly help take a look at it to see what i am doing wrong.


Best Regards
EE-question.txt
Visio-Network-Design.pdf
0
salvatorepp
Asked:
salvatorepp
  • 3
  • 3
1 Solution
 
lrmooreCommented:
What you've provided looks like it should work, there is too much unknown in the rest of the configurations of both devices.
Is there a particular reason you have to double-nat on both the ASA and the router?
0
 
tejjasdesaiCommented:
NAT configuration to be done once and I suppose at ASA only ....
Secondly this Web server is also a DNS Server ?
How you are trying to access the web content , is it IP based or host based ?
0
 
salvatoreppAuthor Commented:
Hi guys,
The setup is now working as intended. However i have a few queries i'd like you to help clarify.

1. @ Irmoore - you mentioned double-nat above. what does this mean as i have only the ASA doing the NAT as it is the only device with public IP addressing. Or does the static command on the ASA constitute "double-nat? its only there for inbound access to dmz server from the internet. Kindly help clarify.
2. Assume i have users on the inside of the ASA that need to be able to reach the internet, will i have to put nat (inside)  and global (outside) commands on the ASA. or is the Router able to handle this with its present configuration?
3. Continuing from (2) above, what i mean is that i understand that traffic does not travel from lower security-levels to a higher security-level by default. So what would i need to configure on the ASA to enable inside users as well as the dmz server to reach the internet without including any NAT statements on the ASA.
Note that the attached is has not been applied yet......just my thoughts of how things should. Please do help check its okay or whether i need to get rid of my nat statements. Configs on the router remain unchanged.
I'd appreciate your responses to my above concerns. Because although it works now, i would like to understand the concept.
ASA5505-EEtxt.txt
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
lrmooreCommented:
1.  By double-nat I'm talking about you are natting on the router AND on the ASA
>as i have only the ASA doing the NAT as it is the only device with public IP addressing
But it looks like the router has the actual public IP addresses on it?? I'm confused..

Router looks like it is doing all the nat for you:
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.100.5 21 81.x.x.5 21 extendable

Add another static route to the inside subnet
   ip route 172.16.201.0 255.255.255.0 172.19.20.2

ASA:

static (DMZ,outside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0 <- this effectively bypasses nat for all the DMZ hosts.

2.
nat (inside) 1 172.16.201.0 255.255.255.0 <- NO
global (outside) 1 interface <-- NO
 
YES:
static (inside,outside) 172.16.201.0 172.16.201.0 netmask 255.255.255.0
If you don't do this, and you keep the nat/global, then all of your internal hosts will get double-natted for sure.

3. <So what would i need to configure on the ASA to enable inside users as well as the dmz server to reach the internet without including any NAT statements on the ASA.?

You really need at least the static nat statements on the ASA that effectively nats back to its own real ip so the next hop router sees the real IP, and a route statement on the Router to know to route those real IP's back to the ASA.
0
 
lrmooreCommented:
Personally, I would get rid of the edge router and just use the ASA for all of it, and assign the public IP directly to the ASA. This will reduce the complexity of your design, remove a point of failure, and make troubleshooting much easier.
0
 
salvatoreppAuthor Commented:
lrmoore, i guess you really nailed it. Exactly the sort of explanation i was looking for.
Regarding my statement of doing the NAT on the ASA, that was a slip. I meant to say that the router was doing the NAT.
BTW, since i did not have any nat (inside) or global (outside) statements on the ASA, why your reference to double-nat. Thats the only outstanding issue i need clarification on as it does not look like double-nat to me based on your recent explanation.
0
 
salvatoreppAuthor Commented:
lrmoore, the only reason i have the router there in front of the firewall is this:

The client will be moving to BGP in the coming months. and i understand that for BGP peering , a router is required to connect to the ISP.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now