cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1257
Views
0
Helpful
3
Replies
Beginner

Triple Natting

Hi friends,

I have some doubt in the below scenario.

     gig0/0         gig0/1        eth0/0.4                               eth0/1              eth0/0                 eth0/1                 fa0/47

--------Internet router ----------------> ASA Context (Virtual) Firewall -----------------> ASA 5510 Firewall ---------------->Core switch.

1xx.2xx.3xx.4    10.0.10.1     10.0.10.2/30                   10.0.10.5/30         10.0.10.6/30          192.168.10.4

I need to access internet from the coreswitch. I have another virtual firewall connected to another network.

I need to limit the another network traffic into here through physical(ASA5510) firewall.

So I need to configure NATing in three places like Internet router, Context Firewall, ASA 5510 v8.3.

If i do natting in all devices, then it may affect the bandwidth of the network (bottleneck).


Or

Is there any other way to resolve it.

Please suggest to me.

Thanks.

Everyone's tags (3)
3 REPLIES 3
Highlighted

Re: Triple Natting

Hi,

If you NAT, the NAT process take up system resources.

Honestly I don't see the need for NATing more than once (perhaps two for overlapping), but why three times?


Federico.

Highlighted
Beginner

Re: Triple Natting

Hi Federico,

Thanks for your reply,

In internet router, I will nat the 10.0.10.0 series into a public IP to rate limit the bandwidth for this network.

In Virtual firewall and Physical firewall, I will NAT the Inside and outside interfaces.

Is it possible to reduce the NATing in this scenario

Or

Please send any other suggestion for the same.

Regards,

Saravanan.

Highlighted
Cisco Employee

Re: Triple Natting

Hi Saravaran...

Mike here. Well if you are talking about doing self translations (Nat to themselves) until they get to the router... it is not going to cause latency issues...

However, it is very important to mention that if you have applications behind the core switch that need to have internet access and are also sensitive to tcp sequence number, you may want to disable the randomization of TCP sequence numbers on one of the ASA's

For the rest, I dont see a problem....

Cheers

Mike

Mike