Re: How to NAT with ISR 4431 at edge doing basic PAT with a FPR 2110 behind it doing NAT statements ...

JosephBoyatt38674 · ‎12-09-2020

Hello all,

I have a client that wants an ISR 4431 at the edge of the network, with a FPR 2110 behind it. They use to have an ASA at the edge, doing all of the routing and NAT'ing. I have converted the ASA config to the FPR, but now I have the Outside interface facing the ISR, with a private subnet between them (172.23.10.0/24). The FPR can only reach the Internet if I have NAT on the ISR (basic PAT on the ISR, NAT out, NAT in, inside source list 1 int g0/0/1 overload), so it's a double NAT scenario but traffic does reach the Internet. I tested this by attaching a client on an unused port on the FPR, and it is getting Internet access. The big problem is that the old ASA (now the FPR) has NAT statements converting private IPs to certain public IPs on the Outside interface of the FPR, but the Outside interface is now in a private subnet between the FPR and ISR. I was wondering if the FPR will be able to forward the NAT'ed traffic to the private IP interface of the ISR, and the ISR then forwards it to the Internet. I am trying to accomplish this in the easiest way possible without doing a ton of NAT statements on the ISR. By the way, the FPR sees the default route to the Internet. I will post route tables if needed.

balaji.bandi · ‎12-09-2020

Since FP do not own Public IP binded, you need to rely on ISR do NAT here i guess.

then if you FP doing NAT, you need to Translate as original so ISR can NAT for you,

is this make sense or misunderstood the requirement ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎12-09-2020

ok,

if you have one public IP before then the config will be

ASA port-froward from ASA private to ISR private with specific port

ISR port-forward from private to public same port

ASA dynamic from ASA private to ISR private

ISR dynamic from private to public

paul driver · ‎12-09-2020

Hello
Just to confirm, your FPR is already natting to an inside global address of 172.23.10.0/x and you are wondering is then the ISR can then NAT its lan subnet (FRP wan subnet) to public routed address and obtain connectivity?
If so then yes it should work, as it just basically double natting your traffic.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

JosephBoyatt38674 · ‎12-09-2020

Paul,

Thanks for your response. Yes, double NAT'ing is working in this scenario, as I have a TEST interface on the FPR with a private IP of 172.24.10.1/24 that has a laptop directly connected, and the laptop can access the Internet. My concern comes in from the NAT statements that were migrated over from the old ASA. Many of those NAT statements translated the inside and DMZ interfaces to public IP addresses since the old ASA was at the edge, but now since the FPR is behind a router, I am wondering if those translated public IPs can get to the ISR private side, and then go out of the ISR to the Internet.

OLD: LAN>>private IP--ASA--public IP>>INTERNET

NEW: LAN>>private IP--FPR--private IP>>(NAT'ed public IPs)>>private IP--ISR--public IP>>INTERNET

paul driver · ‎12-09-2020

Hello
If those public addresses are owned by the ISP that your ISR is connecting to then it should still work, without double natting them, just need to make sure the ISR rtr knows how to reach them and the isp is indeed advertising them on your behalf and you not try to advertise another ISPs address range.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

How to NAT with ISR 4431 at edge doing basic PAT with a FPR 2110 behind it doing NAT statements from an old ASA image