Jay,

That's the problem in your design unfortunately. Your isp doesn't know how to get to your 192.168.1.0/23 addresses, so the traffic being sourced from that interface is dropped. If you had a public ip block, you could put the public address on the inside interface and the isp would know how to get to it because they'd be routing for it. You could then put a public address on your pix and then nat there.

The problem is that currently you're natting from your pix to another private address space (192.168.1.0/23) from what I'm seeing, so everything is going to look like it's coming out of the pix as a 192.168.1.0 address. If you were to put the acl into effect on the router that I gave earlier, it should nat out again as your assigned address from the isp.

John

I figured this was a flaw - If i were like you said using a "Public" block and perhaps running some sort of dynamic protocol (bgp) with the provider then i wouldn't have to double nat.

I believe atleast with the design i have implemented i can use a pool within the 192.168.0.0 network as a "static" nat assignment to mask the inside address but still have to specify an acl on the internet router inbound to that assignement which should pass through the pix and to the host.

This was more of a lab to learn the design and understand the routing. I'm new to OSPF so seeing through-out this design how i've gone from a single area to a multi-area topology and learning route-maps / redistribution and so on i've managed to get a better grasp on what's going on behind the scenes

I'll test out the NAT on the inet router shortly and get back to you, Thanks for all your advice/help thus far i highly appreciate the time and effort you have put into this with me.

Regards,

Jay

No problem! I look forward to hearing the outcome

All looks good after adding the NAT config on the Internet Router

I can browse to Internet from area 1 with no issues .. I'm watching FW log as i'm doing various tasks outbound and everything seems to work correctly at the moment.

Here's a trace to show the path

Tracing route to google.com [74.125.226.228]
over a maximum of 30 hops:

  1     2 ms    <1 ms     1 ms  10.50.100.2 (Area 1 - vlan 100)
  2     1 ms     1 ms     1 ms  10.50.1.7 (snet-abr-r1)
  3     1 ms     1 ms     1 ms  172.16.1.1 (Area 0 - snet-core-s1)
  4     2 ms     2 ms     2 ms  192.168.1.253 (snet-internet-router | LAN Interface)
  5    10 ms     8 ms    13 ms  10.11.25.1 - ISP Network
  6    14 ms    14 ms    11 ms  67.97.247.73 - ISP Network
  7    22 ms   222 ms   215 ms  4.53.194.29 - Offnet - other carrier network
  8    23 ms    16 ms    15 ms  4.69.132.202
  9    19 ms    18 ms    16 ms  4.69.136.185
10    24 ms    24 ms    27 ms  4.69.136.190
11    26 ms    26 ms    23 ms  4.69.134.134
12    24 ms    27 ms    27 ms  4.69.149.69
13    40 ms    29 ms    29 ms  4.79.168.6
14    27 ms    29 ms    28 ms  209.85.252.80
15    27 ms    30 ms    39 ms  72.14.236.146
16    31 ms    36 ms    30 ms  72.14.239.92
17    29 ms    30 ms   143 ms  209.85.252.3
18    38 ms    30 ms    30 ms  72.14.239.252
19    32 ms    28 ms    33 ms  74.125.226.228 - Google.com

Trace complete.

Awesome Jay! Glad to hear it's all working for you!

Thanks Again John - I'm sure we'll be in touch again in the future as we are always learning when it comes to design/implementation and troubleshooting various topologies

Regards,

Jay