Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
700
Views
0
Helpful
5
Replies

global internetout

Go to solution
jcalero
Level 1
Level 1

‎08-30-2012 01:21 PM - edited ‎03-11-2019 04:48 PM

Hi all,

Wonder if someone can help me get my head around a NAT question. I understand how NAT works in a standard setup I.e the firewall or router has an interface with a public ip, but I have seen a global internet out statement on a firewall that sits in the Internet DMZ along side the Internet router which does have an interface in the public address space, that the global NAT on the firewall translates all internal clients to when accessing the Internet.

Can anyone explain how the NAT occurs if the firewall doesn't have a public address space assigned. If it receives a packet destined for the Internet and it translates it to a public the address how is it routed to the Internet firewall. The default route on the firewall is the private HSRP address of the internet routers running BGP

Any help appreciated - thanks

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jcalero

‎09-07-2012 09:34 AM

Hello Jesus,

That is correct

To rate a post just hit the stars on bellow each post, the more helpful the post is, the more stars you give.

Regards,

Also if there is no other question you can make you can change the status of the question to an answered status.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-30-2012 01:45 PM

Hello Jesus Calero,

I am not sure if I understood your question but here is what I think.

Nat is not only used in order to allow private Ip addresses to access the internet.

The also are used to hide the private range Ip address ( Security Purposes) among other functions.

Now the NAT is in charge of just changing the Source or destination information on the Ip header or the port numbers on the TCP or UDP header.

Inside-192.168.12.1----ASA---192.168.15.0 Outside-----ISP Router----4.2.2.0

As you can see on the above example the ASA has 2 different broadcast domains and those belong to a private range.

Now if the ASA wants to go to the internet he will need to send the traffic to the ISP router  based on his routing table( this one will perform the other nat translation)

As you might think on this scenario we might need to use NAT on the ASA or not, that just depends of our desing.

Regards,

Julio

Remember to rate all the helpful posts, that is as importan as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
jcalero
Level 1
Level 1
In response to Julio Carvajal

‎08-30-2012 02:19 PM

Hi thanks for the response. Hope this helps

Inside-192.168.12.1--ASA-192.168.15.2--- Internet DMZ -192.168.15.1 -

ISP Router--4.2.2.1

The ASA has global Internet out NAT of 4.2.2.2 and the Default route for the ASA is 192.168.15.1 How does the FW translate a 192.168.12.1 address to 4.2.2.2 and how does it end up traversing the router? If the source is 4.2.2.2 once the router receives a packet back destined for 4.2.2.2 how would it know the source is actually the ASA if the ASA doesn't have a 4.2.2.0 address on an interface?

Hmmm not sure if that is any clearer

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jcalero

‎08-30-2012 03:19 PM

Hello Jesus,

Sure I understand your query now.

This is because of the amazing Proxy-Arp feature and gratitious Arp This allows the ASA to let the other devices know he has X ip address.

So the other devices will send the traffic to it's interface Mac Address.

So in the scenario you draw the ASA is going to say to router I am 4.2.2.2, please send me the packets to my outside interface MAC address even if no one has asked. Then the router will learn that and place it on it's arp table.

Remember to rate all the posts


Regards,

Julio

CCSP

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
jcalero
Level 1
Level 1
In response to Julio Carvajal

‎09-07-2012 08:13 AM

Thanks a million, this has been bugging me for a while.  So even if the router has a local subnet on the 4.2.2.0 network it will still send a packet through to it's internal network 192.168.15.0 because there is a device advertising it has ip 4.2.2.2?

Many thanks.  Apologies in getting back

How do I rate a post?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jcalero

‎09-07-2012 09:34 AM

Hello Jesus,

That is correct

To rate a post just hit the stars on bellow each post, the more helpful the post is, the more stars you give.

Regards,

Also if there is no other question you can make you can change the status of the question to an answered status.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card