Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1796
Views
0
Helpful
3
Replies

Triple Natting

psaravanan
Level 1
Level 1

‎02-17-2011 11:32 AM - edited ‎03-11-2019 12:52 PM

Hi friends,

I have some doubt in the below scenario.

     gig0/0         gig0/1        eth0/0.4                               eth0/1              eth0/0                 eth0/1                 fa0/47

--------Internet router ----------------> ASA Context (Virtual) Firewall -----------------> ASA 5510 Firewall ---------------->Core switch.

1xx.2xx.3xx.4    10.0.10.1     10.0.10.2/30                   10.0.10.5/30         10.0.10.6/30          192.168.10.4

I need to access internet from the coreswitch. I have another virtual firewall connected to another network.

I need to limit the another network traffic into here through physical(ASA5510) firewall.

So I need to configure NATing in three places like Internet router, Context Firewall, ASA 5510 v8.3.

If i do natting in all devices, then it may affect the bandwidth of the network (bottleneck).


Or

Is there any other way to resolve it.

Please suggest to me.

Thanks.

Labels:
0 Helpful
3 Replies 3

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-17-2011 11:43 AM

Hi,

If you NAT, the NAT process take up system resources.

Honestly I don't see the need for NATing more than once (perhaps two for overlapping), but why three times?


Federico.

0 Helpful

psaravanan
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-17-2011 11:14 PM

Hi Federico,

Thanks for your reply,

In internet router, I will nat the 10.0.10.0 series into a public IP to rate limit the bandwidth for this network.

In Virtual firewall and Physical firewall, I will NAT the Inside and outside interfaces.

Is it possible to reduce the NATing in this scenario

Or

Please send any other suggestion for the same.

Regards,

Saravanan.

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to psaravanan

‎02-18-2011 09:27 PM

Hi Saravaran...

Mike here. Well if you are talking about doing self translations (Nat to themselves) until they get to the router... it is not going to cause latency issues...

However, it is very important to mention that if you have applications behind the core switch that need to have internet access and are also sensitive to tcp sequence number, you may want to disable the randomization of TCP sequence numbers on one of the ASA's

For the rest, I dont see a problem....

Cheers

Mike

Mike
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card