Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3043
Views
0
Helpful
3
Replies

FIREWALL BEHIND ROUTER NAT ETC

Go to solution
simon clarke
Level 1
Level 1

‎08-10-2017 09:09 AM - edited ‎03-12-2019 02:48 AM

Hi 

I really struggling with a topology that consists of a firewall behind a router could anyone help/explain the below question 

If the network between the firewall and the router was a private address ie 10.x.x.x and the internal private subnet was 192.x.x.x would you nat the 192 address to the 10 address ?

would you have a default route on the firewall 0.0.0.0 0.0.0.0 toward the 10.x address on the router?

would you name the 192 interface inside and the 10 interface outside?

would you have to nat again from the 10 address to the public ip address of the router's wan facing interface ?

any help would be greatly appreaciated 

thanks in advance 

Simon 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ryan Curry
Level 1
Level 1

‎08-14-2017 12:04 PM

Hi Simon, looking over your question you are correct on all assumptions.  The inside interface is typically your most trusted environment (i.e. what you or your organization has control over) whereas outside is that which you have little to no control over.

Your default route will point to the 10. network since you're essentially saying "I don't have a specific route to this traffic so it must go to you".

You would NAT the 192. addresses into the 10. addresses so that the packet, once it's outside of your network which would be the 10. space, knows how to get to the next route.

You would again need to NAT the 10. address because the 10.x.x.x space does not route on the Internet so it needs to be assigned a real address via NAT.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Ryan Curry
Level 1
Level 1

‎08-14-2017 12:04 PM

Hi Simon, looking over your question you are correct on all assumptions.  The inside interface is typically your most trusted environment (i.e. what you or your organization has control over) whereas outside is that which you have little to no control over.

Your default route will point to the 10. network since you're essentially saying "I don't have a specific route to this traffic so it must go to you".

You would NAT the 192. addresses into the 10. addresses so that the packet, once it's outside of your network which would be the 10. space, knows how to get to the next route.

You would again need to NAT the 10. address because the 10.x.x.x space does not route on the Internet so it needs to be assigned a real address via NAT.

0 Helpful

Go to solution
simon clarke
Level 1
Level 1
In response to Ryan Curry

‎08-14-2017 12:54 PM

Hi Ryan,

thanks for taking the time to look over my question and clarifying it.

much appreciated 

Simon 

0 Helpful

Go to solution
tonyk0001
Level 1
Level 1
In response to simon clarke

‎08-22-2017 08:53 AM

Hi Simon,

 

I hope Ryan's advise helped you but just to add on to that.

 

Sometimes its not a must to do the NAT between the ASA and Router and then do another one on the router interface facing the Internet.

 

You may decide to do what they call NO NAT between the ASA and the router so that your IP from the Inside zone or any zone your coming from doesnt change unless when going to the INTERNET.

 

Regards

 

Tony 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card