Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1486
Views
4
Helpful
3
Replies

Double NAT Resolution Help

Chris Mickle
Level 1
Level 1

‎05-01-2014 04:55 AM - edited ‎03-07-2019 07:17 PM

Hello All,

 

I need help resolving a double NAT issue that I have in my current infrastructure. My current configuration has been working and doing what I need it to do for over a year now, but I have always felt there was a more efficient way to accomplish my goal. I'm no expert on routing or firewalling by any stretch of the imagination. None of my clients use or need this type of infrastructure so my only experience is with my own, very small, setup. I have a Cisco 2811 and a PIX 525 that I have always been able to get to do what I need, but again, I'm no expert.

My situation...

I have AT&T U-Verse Business with a block of 5 usable static IP's. I have 5 internal LAN segments that each use one of my IP's. Before I had U-Verse, I used bridge mode on the ISP's router to assign my statics to the outside interface of the PIX and segmented the LAN from there. The problem I have now is that the device that AT&T is giving it's business clients (Motorola NVG589) doesn't have a bridge mode. After much aggravation, I discovered that the NVG589 can not assign more than one IP per MAC address. I found a solution on the internet to deal with this that involved using a Cisco router and HSRP protocol to enable the NVG589 to have a single MAC address that each IP could be assigned to. I obtained the 2811 and set it up and like I said, it has worked for a long time. The only problem is the double NAT. The only way I could figure out how to make it work was to setup HSRP with 1 physical address and 4 addresses using HSRP on the WAN interface of the 2811 and then NAT them to a new /29 address block on the LAN interface that could then be routed to the outside interface of the PIX.

My main question is: Is there a better way to accomplish the same effect without using NAT on the 2811?

I'm describing this the best way I can for being a relative novice on the subject. I have included scrubbed versions of the 2811 and PIX configs below that will hopefully clear it up for you guys.

 

---------2811----------

 

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
!
!
ip cef
!
!
ip domain name XXXXXXXX
!
!
!
!
interface FastEthernet0/0
 ip address XXX.XXX.XXX.5 255.255.255.248
 ip nat outside
 duplex auto
 speed auto
 standby timers 254 255
 standby preempt
 standby 1 ip XXX.XXX.XXX.1
 standby 1 mac-address 0000.0000.0001
 standby 2 ip XXX.XXX.XXX.2
 standby 2 mac-address 0000.0000.0002
 standby 3 ip XXX.XXX.XXX.3
 standby 3 mac-address 0000.0000.0003
 standby 4 ip XXX.XXX.XXX.4
 standby 4 mac-address 0000.0000.0004
!
interface FastEthernet0/1
 ip address 10.0.0.6 255.255.255.248
 ip nat inside
 duplex full
 speed auto
 no mop enabled
!
ip default-gateway XXX.XXX.XXX.6
ip classless
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.6
!
no ip http server
ip nat inside source list acl-inet interface FastEthernet0/0 overload
ip nat inside source static 10.0.0.1 XXX.XXX.XXX.1
ip nat inside source static 10.0.0.2 XXX.XXX.XXX.2
ip nat inside source static 10.0.0.3 XXX.XXX.XXX.3
ip nat inside source static 10.0.0.4 XXX.XXX.XXX.4
ip nat inside source static 10.0.0.5 XXX.XXX.XXX.5
!
ip access-list standard acl-inet
 permit 10.0.0.0 0.0.0.7
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
!
end

 

--------PIX 525-----------

 

PIX Version 8.0(2)
!
hostname pixfirewall
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 10.0.0.1 255.255.255.248
 ospf cost 10
!
interface Ethernet1
 nameif domain
 security-level 100
 ip address 192.168.0.1 255.255.255.0
 ospf cost 10
!
interface Ethernet2
 nameif ftp
 security-level 60
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
!
interface Ethernet3
 nameif vmhost
 security-level 80
 ip address 192.168.2.1 255.255.255.0
 ospf cost 10
!
interface Ethernet4
 nameif vm
 security-level 50
 ip address 192.168.3.1 255.255.255.0
 ospf cost 10
!
interface Ethernet5
 speed 10
 nameif public
 security-level 40
 ip address 192.168.4.1 255.255.255.0
!
!
time-range IPBlocked
 absolute end 01:12 28 October 2010
 periodic daily 0:00 to 23:59
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list 101 extended permit tcp any host 10.0.0.1 eq www
access-list 101 extended permit tcp any host 10.0.0.1 eq https
access-list 101 extended permit tcp any host 10.0.0.1 eq pop3
access-list 101 extended permit tcp any host 10.0.0.1 eq smtp
access-list 101 extended permit tcp any host 10.0.0.1 eq 587
access-list 101 extended permit tcp any host 10.0.0.1 eq 5000
access-list 101 extended permit tcp any host 10.0.0.2 eq www
access-list 101 extended permit tcp any host 10.0.0.2 eq ftp
access-list 101 extended permit tcp any host 10.0.0.1 eq 10101
access-list 101 extended permit icmp any any
access-list 301 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 301 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu domain 1500
mtu ftp 1500
mtu vmhost 1500
mtu vm 1500
mtu public 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 10.0.0.2
global (outside) 3 10.0.0.3
global (outside) 4 10.0.0.4
global (outside) 5 10.0.0.5
nat (domain) 0 access-list 301
nat (domain) 1 192.168.0.0 255.255.255.0
nat (ftp) 2 192.168.1.0 255.255.255.0
nat (vmhost) 3 192.168.2.0 255.255.255.0
nat (vm) 4 192.168.3.0 255.255.255.0
nat (public) 5 192.168.4.0 255.255.255.0
static (domain,outside) tcp interface smtp 192.168.0.3 smtp netmask 255.255.255.255
static (domain,outside) tcp interface 5000 192.168.0.10 5000 netmask 255.255.255.255
static (domain,outside) tcp interface https 192.168.0.3 https netmask 255.255.255.255
static (domain,outside) tcp interface pop3 192.168.0.3 pop3 netmask 255.255.255.255
static (domain,outside) tcp interface 587 192.168.0.3 587 netmask 255.255.255.255
static (domain,outside) tcp interface www 192.168.0.3 www netmask 255.255.255.255
static (ftp,outside) tcp 10.0.0.2 www 192.168.1.2 www netmask 255.255.255.255
static (ftp,outside) tcp 10.0.0.2 ftp 192.168.1.2 ftp netmask 255.255.255.255
static (domain,outside) tcp interface 10101 192.168.0.13 10101 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 domain
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.0.0 255.255.255.0 domain
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 domain
ssh timeout 30
console timeout 0
dhcpd dns 68.94.156.1
!
dhcpd address 192.168.4.10-192.168.4.50 public
dhcpd enable public
!
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.1.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.2.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.3.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 192.168.4.0 255.255.255.0
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
ntp server 207.46.197.32 source outside prefer
prompt hostname context

Labels:
0 Helpful
3 Replies 3

Roger De Couto
Level 1
Level 1

‎05-01-2014 06:48 AM

Hello,

You can solve this issue 'but' you'll need to purchase additional IP's from your ISP. Basically, you'll need 2 blocks of IP addresses.

1) assign public /30 IP address on the WAN interface on the 2811

2) use the public /29 IP on the LAN interface of the router. 1st usable IP on the router LAN interface, 2nd on the PIX interface facing the router.

I don't think there's any other options of avoiding the double NAT issue. Perhaps other members may have an idea!

HTH :)

 

Chris Mickle
Level 1
Level 1

‎05-02-2014 04:53 AM

So there is no way to do a static route without NAT through the 2811? I hope that makes sense.

0 Helpful

Florin Barhala
Level 6
Level 6
In response to Chris Mickle

‎05-02-2014 11:45 AM

Roger's solution is the straight way. 

Additionally you can try using PIX in transparent mode or simply get rid of it as it seems you don't have to much of a FW and use only the 2800 router for both NAT and traffic control.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card