topic Re: Triple Natting in Network Security

Triple Natting

psaravanan — Mon, 11 Mar 2019 19:52:22 GMT

Hi friends,

I have some doubt in the below scenario.

gig0/0 gig0/1 eth0/0.4 eth0/1 eth0/0 eth0/1 fa0/47

--------Internet router ----------------> ASA Context (Virtual) Firewall -----------------> ASA 5510 Firewall ---------------->Core switch.

1xx.2xx.3xx.4 10.0.10.1 10.0.10.2/30 10.0.10.5/30 10.0.10.6/30 192.168.10.4

I need to access internet from the coreswitch. I have another virtual firewall connected to another network.

I need to limit the another network traffic into here through physical(ASA5510) firewall.

So I need to configure NATing in three places like Internet router, Context Firewall, ASA 5510 v8.3.

If i do natting in all devices, then it may affect the bandwidth of the network (bottleneck).

Is there any other way to resolve it.

Please suggest to me.

Thanks.

Re: Triple Natting

Federico Coto Fajardo — Thu, 17 Feb 2011 19:43:12 GMT

Hi,

If you NAT, the NAT process take up system resources.

Honestly I don't see the need for NATing more than once (perhaps two for overlapping), but why three times?

Federico.

Re: Triple Natting

psaravanan — Fri, 18 Feb 2011 07:14:40 GMT

Hi Federico,

Thanks for your reply,

In internet router, I will nat the 10.0.10.0 series into a public IP to rate limit the bandwidth for this network.

In Virtual firewall and Physical firewall, I will NAT the Inside and outside interfaces.

Is it possible to reduce the NATing in this scenario

Please send any other suggestion for the same.

Regards,

Saravanan.

Re: Triple Natting

Maykol Rojas — Sat, 19 Feb 2011 05:27:11 GMT

Hi Saravaran...

Mike here. Well if you are talking about doing self translations (Nat to themselves) until they get to the router... it is not going to cause latency issues...

However, it is very important to mention that if you have applications behind the core switch that need to have internet access and are also sensitive to tcp sequence number, you may want to disable the randomization of TCP sequence numbers on one of the ASA's

For the rest, I dont see a problem....

Cheers

Mike