Reverse Natting on asa 8.2

Hi All,
I am currently trying to apply a reverse NAT on asa 8.2 and not sure how to do this. I have done this on asdm 6.2 for asa 8.3 but the options are not simiar on 8.2. Is there a CLI equivelant?
I am trying to Achieve the object below
for any traffic coming from outside interface to the inside interface with any source address to destination 10.X.X.58 then translate it so that it become 192.X.X.X to address 192.X.X.58. This is so that communications can traverse internal network as the server is not ona DMZ.
I have done this on 8.3 (shown below) but do not know if it is possible for 8.2, I have tried replicating the same command on 8.2 but commands are not recognised.
nat (outside,any) source static any 192.X.X.X destination static 10.X.X.X 192.X.X.58
Should I just upgrade to 8.3? never done it before so not sure of the consequences.
Any advise appreciated!

Zahan,
You can actually do it on 8.2 but not for "any" interface. Let's put the sample for outside to inside.
access-list pnat permit ip any host 10.X.X.X
nat (outside) 40 access-list pnat outside
global (inside) 40 192.X.X.X
static (inside,outside) 192.X.X.58 10.X.X.X
Off course NAT on 8.3/8.4 is more flexible than 8.2 so if you can upgrade your ASA it will a good option.
Luis Silva

Similar Messages

"Loopback" or "reverse NAT" on EA2700 / DB N600

I'm having some trouble finding the right setting on the included tools - I'm familiar with how to do it in ddwrt but don't want to change from stock on this one.
What I have is that I want to be able to access certain ports via my public IP address (Instead of local network address) from within my house. For example, internal address is 192.168.1.125 to point to a given device, and I have it mapped out on the public IP address - (fake IP) 129.252.67.60:8080 to point to that device. I can access that public IP address fine from outside of my home network, but if I try to do so while connected to my home network, it will not connect. (Of course, I can connect to 192.168.1.125 fine from my home network.)
From what I recall and have read, I need to turn on "loopback" or "reverse NAT" somehow to let the router know to point the external IP address request right back...
If anyone has any advice/fixes, I would greatly appreciate it - I have settings on my computer/tablet that I would prefer to not have to keep two separate versions of (One for external networks, one for internal networks) if it can be avoided.
Thanks in advance,
-l

Ensure the box "Filter Internet NAT redirection" IS CHECKED on the security tab. Selecting the checkbox and saving worked for me to get Loopback within my network

Question about configuration of NAT on ASA

Hi all,
I have ASA config with DHCP and its providing IP to users.
ASA is connected to 3550 switch it has direct connection or say default static route
From 3550 switch connection goes to Router and it does the NAT and has connection to outside world.
My question is do i need to configure the NAT inside and global (outside ) on the ASA or not?
As per my understanding NAT is done by router which has connection to ISP.
Thanks
Mahesh

Hi Jennifer,
Thanks for replied.
I tested like this config the NAT on ASA
then as per your reply run the command no nat-control as ASA ver is 8.4
But nat config is still there in ASA.
I did sh xlate it shows
ciscoasa# sh xlate
27 in use, 371 most used
PAT Global 192.168.11.2(33396) Local 192.168.1.5(57177)
PAT Global 192.168.11.2(61657) Local 192.168.1.5(57176)
PAT Global 192.168.11.2(52259) Local 192.168.1.5(57175)
PAT Global 192.168.11.2(30453) Local 192.168.1.5(57174)
I did clear xlate still there is output from the sh xlate
My question is how we test that ASA is nating or not ?
Which commands can tell us that ASA is doing NAT ?
Thanks
MAhesh

Nat/pat asa 5505 asdm ver 8.4

hi all,
i have a problem with portfoarwarding on asa 5505.
i have this situation:
internet ---> pubblic ip address-> router albacom -- 10.0.0.15 ---> -nat farward port 80--10.0.0.1 -outside -firewall asa -inside - 192.168.0.1------------server web 192.168.0.99
the server is not in dmz but it's on the lan network
my user must connect from internet, with any browser http://albacom_pubblic_address and router albacom and then asa firewall must nat and farward the port 80 on server web 192.168.0.99
any idea or tutorial
ths, best regards

Hi Luca,
On the ASA, you would need the following:
object network server_ip
host 192.168.0.99
object service tcp_80
service tcp destination eq 80
nat (outside,inside) source static any any destination static interface server_ip service tcp_80 tcp_80
That would port forward all the request coming on port 80 on the outside interface of the firewall, to your internal server on port 80.
Hope that helps
Thanks,
Varun

Problems with the new NAT in ASA 5510 (8.4)

Hi together,
i have some problems with the NAT statements in ASA Version 8.4.
What i want is to translate the internal address of a server to the external address with a NAT rule.
The ASA has only one WAN connection (named outside)
The internal server has the ip address 192.168.0.221 (as example) and i want to translate all incoming traffic on port 3389 to the Server (192.168.0.221).
This is only for training, i dont want to forward a 3389 port into the BAD in a productive Network
first i create the network object for the inside server (192.168.0.221)
object network Network_Obj_RDP
host 192.168.0.221
After that i create the access rule for incoming traffic on outside interface:
access-list outside_access_in extended permit ip any any log debugging
Next i create a access rule for the inside-prod network to allow the traffic to the RDP Server:
access-list inside-prod_access_in extended permit object RDP interface outside object Network_Obj_RDP
Now i create the NAT rule in the network object (Network_Obj_RDP):
object network Network_Obj_RDP
nat (inside-prod,outside) static interface service tcp 3389 3389
But if i want to connect via 3389 on the outside interface i see in the syslog this entry:
Built inbound TCP connection 23248 for outside:80.187.107.132/7445 (80.187.107.132/7445) to inside-prod:192.168.0.221/3389 (External IP/3389)
After a while the connection will be teardown with this message:
Teardown TCP connection 23289 for outside:80.187.107.132/2294 to inside-prod:192.168.0.221/3389 duration 0:00:30 bytes 0 SYN Timeout
It looks like that the acl works fine, but the NAT translation are wrong...
perhaps somebody has a idea to fix this
Looking forward and hope for help...
Many thanks
Greetings

Hi Jouni,
this is the correct Packet Tracer output i think:
packet-tracer input inside-prod tcp 192.168.0.220 3389 8.8.8.8 4567
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-prod_access_in in interface inside-prod
access-list inside-prod_access_in extended permit ip object Network_Obj-Productiv any log debugging
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Network_Obj_RDP
nat (inside-prod,outside) static interface service tcp 3389 3389
Additional Information:
Static translate 192.168.0.220/3389 to 80.146.252.162/3389
Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 825, packet dispatched to next module
Result:
input-interface: inside-prod
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
That looks preety fine, but the way back isn´t right:
packet-tracer input outside tcp 8.8.8.8 4567 192.168.0.220 3389
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.0.0     255.255.255.0   inside-prod
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit tcp any object Network_Obj_RDP eq 3389 log debugging
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network Network_Obj_RDP
nat (inside-prod,outside) static interface service tcp 3389 3389
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside-prod
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I have no idea...

Dynamic PAT and Static NAT issue ASA 5515

Hi All,
Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
- Bhal

Hi,
I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
The very basic configured for Static NAT and Default PAT I would do in the following way
object network STATIC
host
nat (inside,outside) static dns
object-group network DEFAULT-PAT-SOURCE
network-object
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
- Jouni

What is the maximun number of static NAT in ASA

Hello everybody,
someone know how many sessions of static nat can configure in cisco ASA ???
thank you for you response...

Hi,
That question really depends....The answer is very simple thou, the amount of xlates is not limited. What really limits yourself is either PAT (Which allows 64000 xlates for each IP you use to do PAT) or the amount of connections.
As far as Static NATs go, there is no limit. You can create as much as you want, but eventually doing a sum of all the resources (inspections, ACLs, QoS etc) will increase the use of the memory.
So, bottom line, you will not get an error that says, static NAT cannot be created.... you will get eventually an error related to memory.
Mike

Help needed with NAT on ASA 8.4 (x)

inside: security level 100
outside: security level 0
traffic coming in from any IP address on inside interface & going out on outside interface with destination of 12.1.1.1 should be NAT'ed/PAT'ed to 100.1.1.1 IP address. How do we do it in ASA running 8.4 s/w. I'm kinda new the this new kinda NAT commands introduced in 8.3 & later.

Here we go (assuming that your inside network is 10.10.10.0/24):
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.0
object network obj-12.1.1.1
host 12.1.1.1
object-network obj-100.1.1.1
host 100.1.1.1
nat (inside,outside) source dynamic obj-10.10.10.0 obj-100.1.1.1 destination static obj-12.1.1.1 obj-12.1.1.1
It's always good to be more specific on the inside subnet, instead of using the keyword "any" as it can cause translation issue for other interfaces.

Outside nat in asa

Hi guys i am a bit confused, please help me ..
RTR2----(Outside)ASA(Inside)----Rtr1
the outside n/w range is 192.168.1.0/24 with Rtr2 having .2 and ASA having .1
the inside n/w range is 192.168.2.0 with asa having .1 and Rtr1 hving .2
now i want to perform dynamic outside nat for Rtr2.
nat (outside) 1 192.168.1.0 255.255.255.0
global (inside) 1 interface
or
nat (outside) 1 192.168.1.0 255.255.255.0 outside
global (inside) 1 interface
i knw that outside keyword is used for outside nat , and when i try to configure
nat command on outside intf, it gives me a warning also..but it takes the command.
my doubt is why outside nat doesnt works with outside keyword.I hope you guys got my doubt..

Hi matti . i have the following setup
host---(inside)Pix(Outside)---Rtr
host ip address 10.0.0.10
Pix Inside 10.0.0.1
Pix Outside 172.31.0.1
Rtr IP add:172.31.0.2(Rtr having a deault route to pix)
i tried to configure outside nat, but its not working.
hostname Firewall
enable password xxx encrypted
names
interface Ethernet0
speed 100
nameif outside
security-level 0
ip address 172.31.0.1 255.255.255.0
interface Ethernet1
speed 100
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
passwd xxx
ftp mode passive
access-list outside extended permit ip any any
pager lines 24
logging enable
icmp unreachable rate-limit 1 burst-size 1
nat-control
global (inside) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0 outside
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside in interface outside
telnet timeout 5
ssh timeout 5
console timeout 0
i see the following messages
%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2253 to in
side:10.0.0.1/30
%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in
side:Insrv (type 8, code 0)
%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2254 to in
side:10.0.0.1/31
%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in
side:Insrv (type 8, code 0)
%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2255 to in
side:10.0.0.1/32
%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in
side:Insrv (type 8, code 0)
%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2256 to in
side:10.0.0.1/33
%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in
side:Insrv (type 8, code 0)
%PIX-6-305011: Built dynamic ICMP translation from outside:172.31.0.2/2257 to in
side:10.0.0.1/34
%PIX-3-305005: No translation group found for icmp src outside:172.31.0.2 dst in
side:Insrv (type 8, code 0)
show xlate output
PAT Global 10.0.0.1(36) Local 172.31.0.2 ICMP id 5850
PAT Global 10.0.0.1(35) Local 172.31.0.2 ICMP id 5849

Policy NAT on ASA

Hi. I have a client with a failover 5520 pair. Two DMZs. The client wants to see "some" DMZ servers using the servers' PUBLIC IP addresses "as well as" the DMZ addresses. Is this even possible? If not, it it possible to see some via their translated public IPs and others with the local DMZ addresses? Confused....

Hello,
It's quite possible to have DMZ ip addresses connected to by the 'inside' and have those same servers also connected to by the internet on their public IP addresses (assuming your DMZ is privately addressed and NAT is set up from outside-->dmz)
Is this what you are asking?
--Jason

ASA 5512-X 8.6(1)2 NAT Overload

My collegue and I have been banging our heads against the wall trying to figure out why we are unable to get this ASA to NAT Overload correctly. Can anybody out there taka look at our config and see what we are missing? I'm sure it is something stupid, and the config may have gotten a little dirty as we tried to change options and make it work. Any insights would be much appreciated. FYI, we can ssh from the WAN into the device to configure it. It is communicating externally, but it isn't natting.
ASA Version 8.6(1)2!hostname ASA5512-X-Remoteenable password ********** encryptedpasswd ********** encryptednames!interface GigabitEthernet0/0 description ISP nameif WAN security-level 0 ip address 10.10.10.250 255.255.255.248!interface GigabitEthernet0/1 nameif LAN security-level 100 ip address 172.16.55.2 255.255.255.0!interface GigabitEthernet0/2 no nameif no security-level no ip address!interface GigabitEthernet0/2.1 vlan 58 nameif VENDOR_58 security-level 0 ip address 192.168.58.1 255.255.255.0!interface GigabitEthernet0/2.2 vlan 56 nameif VENDOR_56 security-level 0 ip address 192.168.56.1 255.255.255.0!interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address!interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address!interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address!interface Management0/0 shutdown no nameif no security-level no ip address management-only!ftp mode passiveobject network LAN-HOSTS_172.16.55.0 subnet 172.16.55.0 255.255.255.0access-list LAN standard permit anyaccess-list WAN_access_in extended permit ip any anyaccess-list LAN_access_in extended permit ip any anypager lines 24mtu WAN 1500mtu LAN 1500mtu VENDOR_56 1500mtu VENDOR_58 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400!object network LAN-HOSTS_172.16.55.0 nat (LAN,WAN) dynamic interfaceaccess-group WAN_access_in in interface WANaccess-group LAN_access_in in interface LANroute WAN 0.0.0.0 0.0.0.0 10.10.10.254 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALaaa authentication ssh console LOCALno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstartno snmp-server enabletelnet timeout 5ssh 0.0.0.0 0.0.0.0 WANssh timeout 60console timeout 0management-access WANthreat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptusername admin password ********** encrypted privilege 15!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp!service-policy global_policy globalprompt hostname contextno call-home reporting anonymouscall-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email [email protected] destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly 19 subscribe-to-alert-group configuration periodic monthly 19 subscribe-to-alert-group telemetry periodic dailyCryptochecksum:6ec463a9761699ba648aa4a17237e3ea: end
As stated before, any help or insights would be greately appreciated.
edit: txt file of config attached.

************EDIT*********************
oops, I didn't see your reply before I posted mine...let me check that .....
************EDIT**********************
I've added some testing ACL's to allow any tcp traffic from any to any applied to both the WAN and the LAN, and i'm still being met with the implicit ACL block like I have been getting.
maybe i'm goinig overboard, but I want to at least get it functioning and then start backing things out one at a time.
i've added the following:
access-list TESTING extended permit tcp any any
access-list TESTING extended permit udp any any
access-list TESTING extended permit icmp any any
access-group TESTING global
I have been staring at this running config for literally 8 hours so I will admit to having likely flawed logic in some of this stuff.

IPSEC b/w ASA and Router --- with nat stuff

I need help regarding the following issue..
An asa is connected to a router which is connected to the internet.
A vpn must be established b/w ASA and a router that is over internet . The ASA is not directly connected to the internet. It is connected to a router which nat the Asa outside ip to a static global IP .
All i need to know is that do need any special configs for this . or its the same as if ASA would have been directly connected to the internet

In order to configure a LAN-to-LAN tunnel between a Cisco IOS? router and an Adaptive Security Appliance (ASA), these configurations are required on the ASA:
Configure the crypto ipsec command in Phase 2.
Configure the isakmp policy command.
Configure the nat 0 command and the access-list command in order to bypass NATting.
Configure the crypto-map command.
Configure the tunnel-group DefaultL2LGroup command with group information

Question regarding NAT and directed-mode

Hello,
I have two WAE 574 devices and a CM 274 all running code level 4.3.1.6, The CM is behind a PIX firewall. There is no firewall between the branch and core WAE. The branch device is behind a NAT router. The CM and SSL ASA rea behind a PIX 515 firewall. The branch WAE is running inline mode and the core WAE is using WCCP redirection. Both the CM and SSL ASA are reverse NATted on the PIX firewall. The branch WAE has the primary interface unchecked on the CM and is using the NAT address.
I am getting asymmetric route issues. This is because for some reason the NAT address of the branch WAE sends the SYN which is responded to but the ACK is coming from the unnatted private address. When I turn off directed mode I can see optimisation start for some sessions but not for the SSL
ASA.
Example
Branch WAE Private 192.68.1.45
Branch WAE Public 206.99.88.10
CM private 192.168.20.9
CM public 240.10.10.20
PIX log
an 15 2012 11:50:58: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46871 to 240.10.10.20/443 flags PSH ACK on interfe
Although the PIX NATs the CM address, the core WAE is still still seeing it's private address.
Do you have any idea what could be causing this ?
Best regards
Stephen
Jan 15 2012 11:51:12: %PIX-5-106100: access-list DMZ_access_in denied tcp DMZ/192.168.20.9(443) -> outside/206.99.88.10(46871) hit-cnt 1 f]
Jan 15 2012 11:51:31: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46871 to 240.10.10.20/443 flags PSH ACK on interfe
Jan 15 2012 11:51:37: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46847 to 240.10.10.20/443 flags PSH ACK on interfe
Jan 15 2012 11:52:08: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/49634 to 240.10.10.20/443 flags PSH ACK on interfe
Jan 15 2012 11:52:10: %PIX-5-106100: access-list outside_access_in permitted tcp outside/206.99.88.10(23183) -> DMZ/240.10.10.20(443) ]
Jan 15 2012 11:52:10: %PIX-6-302013: Built inbound TCP connection 1475554768 for outside:206.99.88.10/23183 (206.99.88.10/23183) to DMZ:WAD)
Jan 15 2012 11:52:10: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/23183 to 240.10.10.20/443 flags ACK on interface e

Hi Stephen,
To troubleshoot this further, we would need to get a topology diagram of your network, as well as the configurations from all devices, so it would probably be better if you open a TAC service request.
Regards
Daniel

Download Anyconnect client inside ASA

Hi,
I currently have a Cisco 5520 ASA which is up and running and the users are able to connect to Anyconnect to VPN into the network.
However, users plugged into the internal network inside the ASA are unable to connect to the vpn address and download the Anyconnect Client. I think this may be to do with reverse NAT missing?
I would appreciate any help.
Thanks in advance.
Nisha

Hi Lee,
I enabled the Anyconnect Client on the inside interface but have had no luck.
The users are trying to browse to a vpn address from which they are prompted to install the Anyconnect software. This comes under Network (Client) Access right?
Thanks in advance.
Nisha

ASA 5505 Connected To Linksys Router

Hello, I have a cable modem internet connection and my cable modem is connected to an ASA 5505. The inside interface of the ASA has an IP address of 192.168.2.2 and is connected to a Linksys router's internet port which has an IP address of 192.168.2.1. The Linksys router then has a local area network of 192.168.1.0 and all my clients are on that network. Everything is working fine except in my ASA logs all the traffic shows up as the router's external address which is 192.168.2.1. I would like to see the 192.168.1.x address of the clients in the ASA firewall. I've tried making some changes to the Linksys router but that hasn't resolved it. Is there any changes I can make on the ASA to get this to work? Below is some of the config:
ASA Version 8.2(5)
hostname djchristasa
enable password k7X9tTHKoCUET/3Z encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
ASA Version 8.2(5)
hostname djchristasa
enable password k7X9tTHKoCUET/3Z encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
I didn't post ACL's and some other things. Please let me know if you need more.
Thanks,
Dave

Dave
The Linksys doing NAT is the reason why the ASA sees all the traffic as having source address as 192.168.2.1. The only way for the ASA to see the original 192.168.1.x address is to change the Linksys to not do NAT.
One thing that I notice is that there is not a route statement in what you posted for the 192.168.1.0 network. It is not clear whether the route does exist and you did not post it or whether the route does not exist. But if it does not exist it would certainly be a reason why you lose Internet connectivity when you change the Linksys to not perform NAT. (the ASA would have no knowledge of how to forward to the network and would drop all the traffic). Try adding the route to the ASA and changing the Linksys to not perform NAT and let us know if it works.
HTH
Rick

Reverse Natting on asa 8.2

Similar Messages

Maybe you are looking for