NATting queries

Kaushik Ray · ‎01-16-2013

Hello All

I have a query regarding a setup I am working on.

There is a Firewall in the setup which does a PAT to a range of 10.xxx.xxx.xxx IP address to a Public IP Address that exists on a Router which is a next hop. This Router in turn does a PAT to a Remote Router with 192.168.xxx.xxx range IP address to provide them ISP connection. Now user on the Remote Router with 192.168.xxx.xxx range want to setup a firewall in their network and want a Public IP address assigned to it for it to be reachable from the Internet.

My question is if I setup a static 1:1 NAT for the 192.168.xxx.10(say) to the 10.xxx.xxx.xxx.10 (say) on the first router and create a new NAT on my firewall to static NAT the 10.xxx.xxx.10 to a Public IP address will the remote end new firewall device be reachable from the Internet?

Would be grateful to have your views.

Many Thanks in advance.

shamax_1983 · ‎01-16-2013

Hi Kaushik,

So you've got Public IP subnet between your ASA and the Router?. What do you mean by " which does a PAT to a range of 10.xxx.xxx.xxx IP address to a Public IP Address that exists on a Router which is a next hop " Your setup should need a bit more clarification. Please give us more clearer picture what you want to achieve

Shamal

Kaushik Ray · ‎01-16-2013

Thanks Shamal I have sent you a private message with the drawing of the setup.

Julio Carvajal · ‎01-16-2013

Hello,

I would be more than glad to help but unfortunatelly the question is not clear enough,

Please try to explain one more time so we can help

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

shamax_1983 · ‎01-16-2013

Hi Kaushik,

I had a look in to your diagram,

Now, If you don't have a specific requirement to do the double natting along the way,

What you can do is,

Assign a secondary IP on the router 192.168.99.91

And have specific static routes for 192.168.99.91 255.255.255.255 pointing the next hop of all intermediate routers/firewalls

Then directly do a 1:1 NAT from the New-Public-IP->to 192.168.99.91

Also, make sure you exempt 192.168.99.91 from being PAT'ed along the way..

Ex, on the Router in the middle,

!

access-list 170 deny ip 192.168.99.91 0.0.0.0 any

access-list 170 permit ip 192.168.99.0 0.0.0.0 any

!

--------------------

With your proposed setup, It should still work, but you will have to heve specific static routes for each 1:1 NAT'ed IPs pointing the correct nexthop. ( That is if you did not use a IP address on the interfaces as the NAT'ed IP, as mentioned earlier when you NAT some thing, there should be someone on the other side to accept the reply packet OR you have to have static routes )

Let me know how you

Also, Don't forget to rate/mark helpful posts..

Shamal

Kaushik Ray · ‎01-17-2013

Thanks Shamal for your repsonse, should the secondary IP be .91 or the .90 which is the IP address of the new firewall to be put in?

Thanks

Kaushik

shamax_1983 · ‎01-17-2013

Hi Kaushik,

May be I understood the situation wrong, Is this new firewall already in place and doing some sort of PAT'ing ? or is this a new firewall you are planning to implement ?

If this is already in place and already being PAT'ed out for Internet access ( at your firewall with some public IP ) and if you want to keep it that way.. and you want the New public IP 1:1 NAT'ed on to new firewall, you may use 192.168.99.91 because I think in that case you are already using .90 for PAT.

If this is a new firewall and if nothing as been done yet, you can assign only .90 and do 1:1 nat ( no need to use the seconday IP ).

In any case make sure you exempt this ip ( .90 or .91 ) from being NAT'ed when the traffic passes through the two routers in the middle and.. only get 1:1 NAT'ed at the edge firewall.. Also make sure you add a static route on the Edge firewall and the next router ( the one connected to the edge firewall ) so they know where 192.168.99.90 ( or .91) lives.

Let me know how you go with this setup.

Also please don't forget to rate helpful posts..

Shamal