Solved: Re: What IP to use for NAT?

CiscoBrownBelt · ‎04-04-2018

Ok let's say my internal network subnets are on 10.1.X.X /24, and the IP on the edge router that connects to the ISP is 50.50.50.49 and the ISP is 50.50.50.50. What is the IP I would use to NAT my 10.1.X network? I am not using 50.50.50.49 correct?

Richard Burts · ‎04-11-2018

John made an important observation in an earlier response when he pointed out that where to do the translation depends on how many addresses the ISP has given you. The original post only talked about having 50.50.50.x. If you have addresses in a single subnet then they would need to be on the router and the translation would need to be done on the router. The drawing makes it clear that you have two subnets assigned from the ISP. One subnet used to connect the router to the ISP and another subnet to connect FW to router. In that case you have a choice. You could continue to do the translation of the router if you choose. But you can also do the translation on the FW. And I agree with the advice that it is better to do that translation on the FW,

I do not understand your question about internal translation and external translations.

If you have a single outside router and it connects to a single ISP then there is no redundancy. It does not matter whether you run BGP or not. With a single router/single ISP then you have a single point of failure and no redundancy.

With a single router and a single ISP you could run BGP. But it is not necessary to run BGP in this situation. You could get it to work very well with a simple static default route on the router forwarding traffic to the ISP (and the ISP would have its routing logic to forward traffic from the Internet to your assigned address block without requiring BGP). You could run BGP but that adds complexity to the environment that you do not need.

HTH

Rick

HTH

Rick

View solution in original post

Julio E. Moisa · ‎04-04-2018

Hi,

The IP should be 50.50.50.49, if you are going to implement a PAT the configuration should be:

int g0/0

description TO-ISP

ip nat outside

ip address 50.50.50.49 255.255.255.X

no shutdown

int g0/1

description INTERNAL-NETWORK

Ip add 10.1.x.x 255.255.255.0

ip nat inside

no shutdown

ip access-list standard MY-NETS

permit 10.1.x.x/24

ip nat inside source list MY-NETS interface g0/0 overload

ip route 0.0.0.0 0.0.0.0 50.50.50.50 name INTERNET

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

CiscoBrownBelt · ‎04-10-2018

Thanks bro!

Ok let's say I have internal switches then to a FW then to Edge Router which connects to ISP. Would I do my natting at the FW or the Edge Rt? See diagram.

johnlloyd_13 · ‎04-04-2018

hi,

it depends on what public IP range the ISP has given you. the .49 is the WAN IP address and this can be used for PAT/NAT overload.

but if ISP gave you a /29 or /28 or whatever, you can use this for your NAT pool or static NAT (1-1 NAT).

CiscoBrownBelt · ‎04-10-2018

Ok let's say I have internal switches then to a FW then to Edge Router which connects to ISP. Would I do my natting at the FW or the Edge Rt? See diagram.

Dennis Mink · ‎04-10-2018

Blue Belt,

looking at th pic you have Ip add 50.50.50.1 255.255.255.252 on your outside on the FW, so you will have to do your NAT on the FW. not on the edge router

Please remember to rate useful posts, by clicking on the stars below.

Julio E. Moisa · ‎04-11-2018

Hi,

The NAT should be configured on the firewall where the public IP addresses are located and directly connected to the ISP.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

CiscoBrownBelt · ‎04-11-2018

Oh ok.

Even if the FW connects to Edge router (company) first then the ISP router?

Julio E. Moisa · ‎04-11-2018

Yes, the edge router (company) is connected to the ISP router, so the router must execute the NAT role, in this case the firewall could make the NAT role but internal translations only not for Internet access, that role must made on the edge router.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

CiscoBrownBelt · ‎08-21-2018

Ok so you are saying in regards to FW, use the public IP and translate that to lets say I have 2 different subnets.

Ok so if these two different internal subnets on the FW are natted to the same public IP, then that traffic goes to the edge router, how do I send let's say natted subnet 192.168.200.X to one public IP, then the the other subnet 192.168.300.X to let's say another gateway like a tunnel?

johnlloyd_13 · ‎04-11-2018

hi,

do you plan to get a public LAN (like a /28) from ISP? or perform static NAT to advertise your servers to the internet?

i would suggest do the NAT on the 5585 FW and the EdgeRT just do the routing (or eBGP for redundancy in the future) with the ISP.

CiscoBrownBelt · ‎04-11-2018

Oh ok just as Julio stated, shall I do internal translations on the FW and external translations to the internet on the edge router?
In regards to eBGP, how does that come into play for redundancy if I am only using 1 edge router?

Richard Burts · ‎04-11-2018

John made an important observation in an earlier response when he pointed out that where to do the translation depends on how many addresses the ISP has given you. The original post only talked about having 50.50.50.x. If you have addresses in a single subnet then they would need to be on the router and the translation would need to be done on the router. The drawing makes it clear that you have two subnets assigned from the ISP. One subnet used to connect the router to the ISP and another subnet to connect FW to router. In that case you have a choice. You could continue to do the translation of the router if you choose. But you can also do the translation on the FW. And I agree with the advice that it is better to do that translation on the FW,

I do not understand your question about internal translation and external translations.

If you have a single outside router and it connects to a single ISP then there is no redundancy. It does not matter whether you run BGP or not. With a single router/single ISP then you have a single point of failure and no redundancy.

With a single router and a single ISP you could run BGP. But it is not necessary to run BGP in this situation. You could get it to work very well with a simple static default route on the router forwarding traffic to the ISP (and the ISP would have its routing logic to forward traffic from the Internet to your assigned address block without requiring BGP). You could run BGP but that adds complexity to the environment that you do not need.

HTH

Rick

HTH

Rick

CiscoBrownBelt · ‎04-12-2018

Oh ok I see.

Yes, only have one connection/router to ISP so I was not sure how any routing protocol came into play there.

Ok let’s say the outside of interface on FW is 50.50.50.1 /27 and the connecting port on the router is 50.50.50.2 /27. These ASA statements look about right to PAT everything on a 10.X.X.X /24?

object network obj-10.0.0.0/8
subnet 10.0.0.0 255.0.0.0object network obj-natted
range 50.50.50.3 50.50.50.30nat (inside,outside) source dynamic obj-10.0.0.0/8 obj-natted

CiscoBrownBelt · ‎08-21-2018

Question:

Lets say I have 2 different internal subnets connected to two different inside interfaces on the FW.

Ok so if these two different internal subnets on the inside 2 different inside interfaces on the FW are natted to the same public IP, then that traffic goes to the edge router, how do I send let's say natted subnet 192.168.200.X to one public IP, then the the other subnet 192.168.300.X to let's say another gateway like a tunnel?