Thanks for the reply Jouni , i m planning to access internal services publically using different ports.

but what i dont understand is that if i do not use NAT for internal users behind internet firewall , then how can i access internet from internal hosts ??

On a single firewall we can NAT the internal ips on to the outside interface, but this cant be done here because for internal firewall outside interface is also public so how can i access internet on the internal desktops ??

Hi,

From what I understood from your picture it seems

• You have an External and Internal Firewall.
• There is a private network behind the Internal firewall and also a private network between the Internal and External firewalls
  • 192.168.1.0/24 and 192.168.2.0/24 perhaps
• You have a single public IP addresses available in the whole network and that is configured on the External firewalls "outside" interface

With the above in mind, I was suggesting that since you only have private networks behind the External/Internal firewalls you could leave out all NAT configurations from the Internal firewall as there is no real reason to NAT IP addresses in your local LAN if there is no overlapping.

Your External firewall would naturally be forwarding some ports to the Internal servers by using its single public IP address and some public TCP/UDP port.

You do say that your Internal firewalls "outside" interface also has a public IP address but it doesnt mention anything about it in the picture. If you refer to the fact that you have configured Static NAT for the Internal firewalls "outside" on the External firewall then you should NOT do that since you would be essientially dedicating that single public IP address you have for the Internal firewall.

- Jouni

Thanks Jouni , but i think i have not been clearer with the requirement so i will xplain once again

I do not intend to use NAT on Internal firewall (except for Internet access for internal users) nor will i b using any public IP on the internal firewall , now i have one WAN ip configured on the outside interface of my External Firewall , from internet cloud i think i can redirect the same ip using different ports to the services behind my internal firewall , but what my problem is that i have users in the inside zone of Internal firwall who i have to give access to the Internet so how can i use NAT for those users , how can i NAT those users to an interface such that they can access internet??? in simple words how the users or the develpment team in the inside zone behind the internal firwall can be given access to the Internet ????

Hi,

That is howI've understood it too.

Naturally I dont know yet what your software level on those ASAs as it affects the NAT configuration format used. The change in the NAT configuration happened between software levels 8.2 -> 8.3

But as I have said before.

From your picture and explanation I gather that the Internal firewall doesnt really require NAT configurations BECAUSE its not on the edge of the LAN and WAN and doesnt hold a public IP address itself. Also there is no point configuration any other NAT either since it should be ok for all hosts behind the External and Internal firewall to communicate with their original IP addresses.

On the External firewall we will want to configure Dynamic PAT for all the users behind the firewall so they can access Internet.

The below configurations can naturally be different depending what your interfaces names are and what the actual networks are. And as I said the software level might mean that the NAT configuration format is totally different.

On the External Firewall you will simply configure

global (outside) 1 interface

nat (inside) 1 192.168.2.0 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0

The above would do Dynamic PAT towards the Internet for both of your LAN networks shown in the picture you have attached to the original post.

Naturally you will also have to make sure that routing is correct

External ASA will have to have a route towards both the WAN and the LAN

route outside 0.0.0.0 0.0.0.0

route inside 192.168.1.0 255.255.255.0 192.168.2.1

Internal ASA will have to have a route towards the External ASA so it knows where to forward traffic bound for Internet

route outside 0.0.0.0 0.0.0.0 192.168.2.2

And as I said before, you shouldnt really need ANY NAT configurations on the Internal firewall as the External firewall ONLY is going to do the NAT towards WAN as it holds the public IP address.

- Jouni

And naturally the Static PAT (Port Forward) configurations on the External firewall for the Internal hosts could look something like this

static (inside,outside) tcp interface 192.168.1.x netmask 255.255.255.255

static (inside,outside) udp interface 192.168.1.x netmask 255.255.255.255

And again, depending on your software level the NAT configuration might look completely different.

- Jouni

Thanks a lot jouni..i think my doubt is now cleared..will test it out and let u know the outcome.