NAT Routing Problem on Cisco ASA 5505

If you haven’t done this yet or lack faith in your NAT setup, I have also posted instructions on how to set up a NAT on the Cisco ASA 5505.

After setting up my Cisco ASA5505 to perform NAT (Network Address Translation) I wasn’t able to access the server from outside the firewall. I also noticed that the Server behind the firewall was not able to access network resources outside the firewall. Using a packet sniffer, I determined that the Cisco device was sending the request packets out, and recieving responses from devices but not allowing those packets through the firewall.

Removing the server from the NAT rule by simply changing the NAT rules internal address IP and hitting apply allowed the server to instantly send traffic out. Using a whatismyip service showed that I was being identified by the firewall’s IP address.

There seems to be a bug in the Cisco firewall, because the “solution” is silly; change a setting and change it back.

  1. Log into the ASA5505 using the Cisco ASDM software
  2. Click “Configuration” at the top, then “Interfaces” on the left.
  3. Select the “outside” interface and click “Edit.”
  4. Select “Use static IP” and set the interfaces IP to the same as the outside IP address you’ve specified in your NAT Rule.
  5. Click “OK,” then “Apply.” The device will take a few moments to change this setting.
  6. Try to access a network service outside the firewall using your NAT’ed server. It should work!
  7. Now, Click “Edit” again, and change the setting back to whatever you had there before.
  8. Unbelievably, the NAT’ed server will still work AND your Cisco device will have the separate IP address you require. You haven’t changed any settings, but now it works!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.