08-10-2017 09:09 AM - edited 03-12-2019 02:48 AM
Hi
I really struggling with a topology that consists of a firewall behind a router could anyone help/explain the below question
If the network between the firewall and the router was a private address ie 10.x.x.x and the internal private subnet was 192.x.x.x would you nat the 192 address to the 10 address ?
would you have a default route on the firewall 0.0.0.0 0.0.0.0 toward the 10.x address on the router?
would you name the 192 interface inside and the 10 interface outside?
would you have to nat again from the 10 address to the public ip address of the router's wan facing interface ?
any help would be greatly appreaciated
thanks in advance
Simon
Solved! Go to Solution.
08-14-2017 12:04 PM
Hi Simon, looking over your question you are correct on all assumptions. The inside interface is typically your most trusted environment (i.e. what you or your organization has control over) whereas outside is that which you have little to no control over.
Your default route will point to the 10. network since you're essentially saying "I don't have a specific route to this traffic so it must go to you".
You would NAT the 192. addresses into the 10. addresses so that the packet, once it's outside of your network which would be the 10. space, knows how to get to the next route.
You would again need to NAT the 10. address because the 10.x.x.x space does not route on the Internet so it needs to be assigned a real address via NAT.
08-14-2017 12:04 PM
Hi Simon, looking over your question you are correct on all assumptions. The inside interface is typically your most trusted environment (i.e. what you or your organization has control over) whereas outside is that which you have little to no control over.
Your default route will point to the 10. network since you're essentially saying "I don't have a specific route to this traffic so it must go to you".
You would NAT the 192. addresses into the 10. addresses so that the packet, once it's outside of your network which would be the 10. space, knows how to get to the next route.
You would again need to NAT the 10. address because the 10.x.x.x space does not route on the Internet so it needs to be assigned a real address via NAT.
08-14-2017 12:54 PM
Hi Ryan,
thanks for taking the time to look over my question and clarifying it.
much appreciated
Simon
08-22-2017 08:53 AM
Hi Simon,
I hope Ryan's advise helped you but just to add on to that.
Sometimes its not a must to do the NAT between the ASA and Router and then do another one on the router interface facing the Internet.
You may decide to do what they call NO NAT between the ASA and the router so that your IP from the Inside zone or any zone your coming from doesnt change unless when going to the INTERNET.
Regards
Tony
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide