Re: Double Natting/Patting

vramanaiah · ‎08-31-2006

I have some requirement as described in the attached diagram.

I want your feedback on whether the solution proposed will work for the stated requirement..

I do not have test devices to test this nor i can experiment in production devices.. So your opinion on this solution will be appreciated..

If you feel, this solution will not work or if you have a more elegant solution, please suggest.

Btw, Host A will never initiate session to Host B. Always Host B will initiate the session to Host A

PS - Please dont mind those shapes of PIX and routers.. I had them drawn by my lovely Daughter .. :-)

vramanaiah · ‎08-31-2006

I have corrected some details on the attachment..

vijayasankar · ‎08-31-2006

Hi,

You have mentioned that only Host B is going to initiate a session to Host A.

Your conditions.

1) B should see A as 10.10.10.200

2) A should see B as 172.32.1.2

Hence the flow will be as follows

Step 1

******

B will send a packet to A, in this packet, the destination of A will be 10.10.10.200

Step 2

******

This packet will traverse the ASA from outside to inside, so a static NAT should be configured in the ASA to translate the destination address to the original address of A.

Static ( inside, outside) 10.10.10.200 172.16.1.23 netmask 255.255.255.255

This is correct.

Step3

*****

This packet will now hit the inside interface of the PIX.

Here the source ip will be 172.16.7.5( Original address of Host B) and the destination ip will be 172.16.1.23

Now this PIX needs to translate the source ip of this packet to 172.32.1.2

Hence here also you need to have a static nat configured as follows

static ( inside, outside) 172.32.1.2 172.16.7.5 netmask 255.255.255.255

Only then PIX will translate the source ip from 172.16.7.5 to 172.32.1.2

If you configure PAT in this PIX, it will only alter the destination ip, not the source ip. But what we want acheive at this stage is translate the source ip of B.

As host A is residing in the outside segment of PIX, Host A cannot initiate a session to B unless you have a explicit ACL in the PIX. By default traffic from outside to inside segment will be blocked in PIX.

Hope this clarifies the concepts involved in your requirement.

Rate the post if you find them helpful.

-VJ

vijayasankar · ‎08-31-2006

Hi,

Just noticed your correction post after my update. As i haven't saved the previous attachment, i couldn't notice any change in the diagram from the inputs that i assumed.

Refer to my comments above in the previous post and get back to us for further clarifications.

HTH

-VJ

vramanaiah · ‎08-31-2006

Hi VJ, thanks for ur response..

I disagree with you on Step 3..

PAT will never change the destination, it would change the source.

Btw, there is no requirement to initiate traffic from host A. So, no ACL is required on outside i/f of PIX.

I was more concerned about the static on ASA, as i was using any internal IP to NAT from outside.. but i am convinced now, that this will work.. I was getting confused with Bidir NAT earlier to address the Overlapping address space with 172.16.x.x between customer A & B.

Another point to note here is traffic between My site and Customer B is via VPN over internet.. I hope that shouldnt make any difference..

Let me know if u disagree..

vijayasankar · ‎09-01-2006

Hi,

Oops. i messed it.

Thanks for correcting me.

You are correct.

-VJ

m.mohanasundaram · ‎09-13-2006

Venkat,

Let me know if you could get this to work.

Regards,

Mohan

vramanaiah · ‎09-13-2006

Yes, Mohan.. It worked..!