Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
896
Views
15
Helpful
8
Replies

help with a firewall wan design

baselzind
Level 6
Level 6

‎02-14-2022 12:05 AM

Im dealing with a strange design for a firewall where it is connected like this > ISP router interface 192.168.10.1>firewall outside interface 192.168.10.2>firewall inside interface 192.168.1.1> switch interface 192.168.1.1

 

As you can see the firewall outside ip is private and the public ip for the site (195.1.1.1/24) seems to be forwarded from the isp router to the firewall which im not sure about? as I don't have the isp router config, im guessing the isp router have a route like if you want to reach (195.1.1.1/24) go to the firewall outside interface 192.168.10.2 where it get natted to inside network? is this a good stable practise?

 

 

0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

‎02-14-2022 12:12 AM - edited ‎02-14-2022 12:44 AM

@baselzind yes will work, it's less ideal than having the public IP address assigned as the outside IP address of the firewall, but it will work if that's all you can do.

 

Obviously you'd need to NAT outbound traffic from the inside (192.168.1.0/24) network behind the ASA's outside interface for internat access, but this will work.

baselzind
Level 6
Level 6
In response to Rob Ingram

‎02-14-2022 01:38 AM

Is it possible to configure remote vpn in this scenario? Does the isp need to nat a public ip into my firewall outside interface?

0 Helpful

Rob Ingram
VIP
VIP
In response to baselzind

‎02-14-2022 02:01 AM

@baselzind yes, the ISP needs to static NAT to the ASA's outside interface, on udp/500, udp/4500 for IPSec VPN or tcp/443 and udp/443 if SSL/TLS VPN.

baselzind
Level 6
Level 6
In response to Rob Ingram

‎02-14-2022 05:25 AM

well, I'm already natting the traffic to come out from the inside and use the outside interface ip using PAT. Does the ISP router also nat my outside interface traffic in order to reach the internet?

0 Helpful

Rob Ingram
VIP
VIP
In response to baselzind

‎02-14-2022 05:29 AM

@baselzind yes they'd have to be natting for your private IP address to reach the internet.

baselzind
Level 6
Level 6
In response to Rob Ingram

‎02-14-2022 05:31 AM

please is this double natting design stable? or I might run into serious issues in the future? 

0 Helpful

Rob Ingram
VIP
VIP
In response to baselzind

‎02-14-2022 05:34 AM

@baselzind it will work, I do it at home, but I'd prefer not to do it for a customer design, unless I had to.

If it's just a small implmentation/basic design it should be fine, what other requirements do you have for the firewall?

0 Helpful

Aref Alsouqi
VIP
VIP
In response to baselzind

‎02-14-2022 10:13 AM

I agree with @Rob Ingram , this wouldn't be a best design, personally I would try to negotiate with the ISP a solution to assign the firewall outside interface a public IP. If that is not possible, then to ease things I would ask the ISP to create a static NAT rule pointing to the firewall outside interface without specifying any port, just a 1:1 rule mapping the 195.1.1.1 to the 192.168.10.2 . This would allow you then to be a little bit more independent rather than going back and forth asking the ISP to add additional potential NAT rules to map additional ports for the services that would need to be terminated on the firewall in the future. With regard to the double NAT'ing, that would depend on the ISP device, as they have their inside interface configured with a private IP, they most likely would be applying the PAT on their device. If that is the case, then you don't have to apply any NAT/PAT on the firewall.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card