Announcement

Collapse
No announcement yet.

ASA behind border router - NAT help

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA behind border router - NAT help

    Hi everyone...I havent posted here in a while...I tried posting this in the Cisco Router and Switch forum but it wouldnt let me...if it somehow shows up as a double post, this is the reason why.

    Anyway I have what is probably a simple question for you Cisco gurus.

    I have a Cisco 871 router that I want to set up as a border router with a Cisco ASA 5505 behind it.

    I have a cable modem that gives me a dynamic ip...so the 871's outside interface will get its ip address via DHCP.

    I would like to have the 871's inside address as 10.0.0.1 and the ASA's outside interface as 10.0.0.2. Finally, I would like the ASA's inside Vlan to be 192.168.1.0/24.

    Obviously I want the border router to just pass traffic....but I will be putting ingress and egress filters on it. The ASA will do all other security.

    I found an article describing how to do this here: http://snipurl.com/20p8mh

    It says to do the following: For outbound communication (Internal LAN towards the Internet), do not translate the network 192.168.1.0/24 on the Cisco ASA. Rather create a static mapping of 192.168.1.0 to itself (will see this below) and configure NAT overload on the Cisco Router for the network 192.168.1.0/24.

    Does this make sense? Can you do NAT overload (on the border router) for a network that is coming off of the ASA? And what does making a static map of 192.168.1.0/24 to itself do?

    Are there any other (easier or more logical) ways to do this?

    Anyway thanks in advance for your help...
    Mike

  • #2
    Re: ASA behind border router - NAT help

    Since you are obtaining a "single" public IP via DHCP, I cannot think of another option other than the one shown in the link. At least if you want to maintain a border/edge router with firewall behind it type topology. If you want to simplify things, you could always just connect the ASA directly to cable modem without the border router since your ISP handoff is ethernet. But then you lose the ability to add ingress/egress filtering at the edge prior to the firewall.

    Can you do NAT overload (on the border router) for a network that is coming off of the ASA?

    Yes! Just as long as you configure the border/edge router to expect this traffic (192.168.1.0/24)

    And what does making a static map of 192.168.1.0/24 to itself do?

    It just another term for NAT exclusion or NAT exempt. Basically, the ASA is configured as a router and to NOT nat inside to outside traffic. In the shown topology, a host behind the ASA with an IP address of lets say 192.168.1.10 would be seen at the border routers inside interface as 192.168.1.10. The border router is configured to accept 192.168.1.0/24 traffic and nat it to 50.50.50.4 (the IP-POOL and access-list 1 in the shown configuration).

    You could always configure the ASA to NAT, but why double NAT outbound traffic.

    As a frame of reference... A typical border/edge router is configured with two sets of Public ip addresses. The outside interface that physically connectes to the ISP typically has a static /30 netblock assigned and the inside interface that connects to the firewall has the usable public IP address range (like /2.

    Example:
    Edge router outside interface = 21.21.21.22/30, gw=21.21.21.21
    Edge router inside interface = 41.41.41.17/28 (usable public IP addresses = 41.41.41.17-30)

    Firewall outside interface = 41.41.41.18/28, gw=41.41.41.17
    Firewall inside interface = 192.168.1.0/24

    In your case though, your edge router is obtaining a single public IP address via DHCP on the WAN interface only (outside). Your only option would be to use a RFC1918 address space on the inside interface as shown in the posted example (10.0.0.0/24).

    Hope that helps

    Comment


    • #3
      Re: ASA behind border router - NAT help

      Hi Scowles,

      Thank you so much for your help - I really appreciate that you gave me such a detailed answer...it was exactly what I needed.

      For the past year or so I have had the ASA set up directly behind the cable modem....but I have a bunch of Cisco routers and switches sitting around (bought when I thought I wanted to pursue a CCNA)...and the other day I decided to put the 871 to some use and start to learn how to use it again.

      Originally posted by scowles View Post
      As a frame of reference... A typical border/edge router is configured with two sets of Public ip addresses. The outside interface that physically connectes to the ISP typically has a static /30 netblock assigned and the inside interface that connects to the firewall has the usable public IP address range (like /2.

      Example:
      Edge router outside interface = 21.21.21.22/30, gw=21.21.21.21
      Edge router inside interface = 41.41.41.17/28 (usable public IP addresses = 41.41.41.17-30)

      Firewall outside interface = 41.41.41.18/28, gw=41.41.41.17
      Firewall inside interface = 192.168.1.0/24
      I do have a few more questions. Based on the example you gave me above, I would use the ASA to do NAT, correct? i.e. because the border router has public IP addresses on *BOTH* the outside and inside addresses, there is no need to use NAT on the router...

      However, we have to use NAT on the ASA because there is a public address on the ASA's outside interface, while there is a private address on the ASA's inside interface?

      Thanks in advance for your help..
      Mike

      Comment


      • #4
        Re: ASA behind border router - NAT help

        Based on the example you gave me above, I would use the ASA to do NAT, correct? i.e. because the border router has public IP addresses on *BOTH* the outside and inside addresses, there is no need to use NAT on the router...

        Yes, that is correct. The border routers role is nothing more than a router along with any ingress/egress filtering you may want to apply.

        However, we have to use NAT on the ASA because there is a public address on the ASA's outside interface, while there is a private address on the ASA's inside interface?

        Yes, that is correct.

        Comment


        • #5
          Re: ASA behind border router - NAT help

          Great post and answers, sort of what I am looking for but slightly expanded. I have a cisco 2651XM with adsl wic and a /29 from my ISP (block of . all of the PPPOA authentication and NAT is being done on the 2651. All of the static nats are also being done on the 2651. The inside interface currently goes to my 4006. I recently picked up an ASA 5510 and would like to use it for NAT and static nats and other firewall feaures and wasn't sure how to configure the 2651 to pass the /29 to the asa. I would not want the asa to provide dhcp as I have a dchp server on the internal network. I also am not sure how I would modify the config in the 2651 to not NAT

          Anyone have any suggestions?

          Comment

          Working...
          X