topic Re: NATting queries in Network Security

NATting queries

Kaushik Ray — Tue, 12 Mar 2019 00:47:41 GMT

Hello All

I have a query regarding a setup I am working on.

There is a Firewall in the setup which does a PAT to a range of 10.xxx.xxx.xxx IP address to a Public IP Address that exists on a Router which is a next hop. This Router in turn does a PAT to a Remote Router with 192.168.xxx.xxx range IP address to provide them ISP connection. Now user on the Remote Router with 192.168.xxx.xxx range want to setup a firewall in their network and want a Public IP address assigned to it for it to be reachable from the Internet.

My question is if I setup a static 1:1 NAT for the 192.168.xxx.10(say) to the 10.xxx.xxx.xxx.10 (say) on the first router and create a new NAT on my firewall to static NAT the 10.xxx.xxx.10 to a Public IP address will the remote end new firewall device be reachable from the Internet?

Would be grateful to have your views.

Many Thanks in advance.

NATting queries

shamax_1983 — Wed, 16 Jan 2013 13:16:04 GMT

Hi Kaushik,

So you've got Public IP subnet between your ASA and the Router?. What do you mean by " which does a PAT to a range of 10.xxx.xxx.xxx IP address to a Public IP Address that exists on a Router which is a next hop " Your setup should need a bit more clarification. Please give us more clearer picture what you want to achieve

Shamal

NATting queries

Kaushik Ray — Wed, 16 Jan 2013 13:41:06 GMT

Thanks Shamal I have sent you a private message with the drawing of the setup.

NATting queries

Julio Carvajal — Wed, 16 Jan 2013 17:35:41 GMT

Hello,

I would be more than glad to help but unfortunatelly the question is not clear enough,

Please try to explain one more time so we can help

Julio

Re: NATting queries

shamax_1983 — Thu, 17 Jan 2013 00:59:59 GMT

Hi Kaushik,

I had a look in to your diagram,

Now, If you don't have a specific requirement to do the double natting along the way,

What you can do is,

Assign a secondary IP on the router 192.168.99.91

And have specific static routes for 192.168.99.91 255.255.255.255 pointing the next hop of all intermediate routers/firewalls

Then directly do a 1:1 NAT from the New-Public-IP->to 192.168.99.91

Also, make sure you exempt 192.168.99.91 from being PAT'ed along the way..

Ex, on the Router in the middle,

access-list 170 deny ip 192.168.99.91 0.0.0.0 any

access-list 170 permit ip 192.168.99.0 0.0.0.0 any

--------------------

With your proposed setup, It should still work, but you will have to heve specific static routes for each 1:1 NAT'ed IPs pointing the correct nexthop. ( That is if you did not use a IP address on the interfaces as the NAT'ed IP, as mentioned earlier when you NAT some thing, there should be someone on the other side to accept the reply packet OR you have to have static routes )

Let me know how you

Also, Don't forget to rate/mark helpful posts..

Shamal

Re: NATting queries

Kaushik Ray — Thu, 17 Jan 2013 13:16:57 GMT

Thanks Shamal for your repsonse, should the secondary IP be .91 or the .90 which is the IP address of the new firewall to be put in?

Thanks

Kaushik

Re: NATting queries

shamax_1983 — Thu, 17 Jan 2013 22:36:12 GMT

Hi Kaushik,

May be I understood the situation wrong, Is this new firewall already in place and doing some sort of PAT'ing ? or is this a new firewall you are planning to implement ?

If this is already in place and already being PAT'ed out for Internet access ( at your firewall with some public IP ) and if you want to keep it that way.. and you want the New public IP 1:1 NAT'ed on to new firewall, you may use 192.168.99.91 because I think in that case you are already using .90 for PAT.

If this is a new firewall and if nothing as been done yet, you can assign only .90 and do 1:1 nat ( no need to use the seconday IP ).

In any case make sure you exempt this ip ( .90 or .91 ) from being NAT'ed when the traffic passes through the two routers in the middle and.. only get 1:1 NAT'ed at the edge firewall.. Also make sure you add a static route on the Edge firewall and the next router ( the one connected to the edge firewall ) so they know where 192.168.99.90 ( or .91) lives.

Let me know how you go with this setup.

Also please don't forget to rate helpful posts..

Shamal