Can't stop double NAT

Answered Question
Mar 2nd, 2010

I have a new client that is having trouble with their network setup.  They were running with a 1721 router as their only device connecting them to the Internet and things worked fine.  They decided they needed a firewall so bought a sonicwall and put it between the 1721 and the LAN.  Once they did this they needed to port forward some traffic to the LAN.  This is where they found they are double NATting their traffic.  Setup:


Internet --> 1721 (external IP is dynamic from ISP, internal 10.0.0.1/24) --> FW (external 10.0.0.10/24, internal 192.168.0.1/24) --> LAN (192.168.0.0/24)


FW is set as the gateway for network PCs.  Because they have no static external IPs they are having to double NAT.  NAT on FW from 192.168.0.x -> 10.0.0.10 and then NAT on the 1721 10.0.0.10 -> dynamically assigned external interface IP.


I cannot figure out a way to only NAT on one device.  They want to NAT on the FW but then they are trying to pass 10.0.0.0/24 traffic out to the world which won't work and if we only NAT on the 1721 I can't figure out how to get traffic to the router from the firewall over the 10.0.0.0/24 network connecting them.  Doing a double NAT allows traffic to pass but I'm not sure how I can configure port forwarding for some of the internal PCs.  I've never setup a network that did not have external static IPs available.  All help is greatly appreciated.

Correct Answer by Jon Marshall about 6 years 12 months ago

qbakies11 wrote:


So disable NAT on the FW and just keep the NAT on the router.   Traffic would pass through the FW as 192.168.0.x and then get NAT'd to the dynamic external IP.  The to get traffic back to the LAN I would add this to the router?


ip route 192.168.0.0 0.0.0.255 10.0.0.10


In order to allow port forwarding for LAN PCs would I use the following on the router (for PC at 192.168.0.5)?


ip nat inside source static tcp 192.168.0.5 Dialer1


Exactly.


Personally i also prefer to do the NAT on the firewall but unless you can get an IP subnet from the ISP eg a /29 to use between the router and the FW you are limited with what you can do.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 03/02/2010 - 12:28

You are going to struggle if you try to do NAT on the firewall for the very reasons you say.


However you could just do the NAT on the 1721 router and then simply add a route to the 1721 for the 192.168.0.0/24 network pointing to the outside interface of the firewall. On the firewall you can then just allow traffic through in an access-list to the relevant 192.168.0.x host on the relevant port.


By the way, there is nothing inherently wrong with double NAT ie. if NAT was going to break the application then it would break it using it only once never mind twice but i appreciate it does make the config messy.


Jon

qbakies11 Tue, 03/02/2010 - 12:40

So disable NAT on the FW and just keep the NAT on the router.   Traffic would pass through the FW as 192.168.0.x and then get NAT'd to the dynamic external IP.  The to get traffic back to the LAN I would add this to the router?


ip route 192.168.0.0 0.0.0.255 10.0.0.10


In order to allow port forwarding for LAN PCs would I use the following on the router (for PC at 192.168.0.5)?


ip nat inside source static tcp 192.168.0.5 Dialer1

Correct Answer
Jon Marshall Tue, 03/02/2010 - 12:47

qbakies11 wrote:


So disable NAT on the FW and just keep the NAT on the router.   Traffic would pass through the FW as 192.168.0.x and then get NAT'd to the dynamic external IP.  The to get traffic back to the LAN I would add this to the router?


ip route 192.168.0.0 0.0.0.255 10.0.0.10


In order to allow port forwarding for LAN PCs would I use the following on the router (for PC at 192.168.0.5)?


ip nat inside source static tcp 192.168.0.5 Dialer1


Exactly.


Personally i also prefer to do the NAT on the firewall but unless you can get an IP subnet from the ISP eg a /29 to use between the router and the FW you are limited with what you can do.


Jon

Actions

This Discussion