08-30-2012 01:21 PM - edited 03-11-2019 04:48 PM
Hi all,
Wonder if someone can help me get my head around a NAT question. I understand how NAT works in a standard setup I.e the firewall or router has an interface with a public ip, but I have seen a global internet out statement on a firewall that sits in the Internet DMZ along side the Internet router which does have an interface in the public address space, that the global NAT on the firewall translates all internal clients to when accessing the Internet.
Can anyone explain how the NAT occurs if the firewall doesn't have a public address space assigned. If it receives a packet destined for the Internet and it translates it to a public the address how is it routed to the Internet firewall. The default route on the firewall is the private HSRP address of the internet routers running BGP
Any help appreciated - thanks
Sent from Cisco Technical Support iPad App
Solved! Go to Solution.
09-07-2012 09:34 AM
Hello Jesus,
That is correct
To rate a post just hit the stars on bellow each post, the more helpful the post is, the more stars you give.
Regards,
Also if there is no other question you can make you can change the status of the question to an answered status.
08-30-2012 01:45 PM
Hello Jesus Calero,
I am not sure if I understood your question but here is what I think.
Nat is not only used in order to allow private Ip addresses to access the internet.
The also are used to hide the private range Ip address ( Security Purposes) among other functions.
Now the NAT is in charge of just changing the Source or destination information on the Ip header or the port numbers on the TCP or UDP header.
Inside-192.168.12.1----ASA---192.168.15.0 Outside-----ISP Router----4.2.2.0
As you can see on the above example the ASA has 2 different broadcast domains and those belong to a private range.
Now if the ASA wants to go to the internet he will need to send the traffic to the ISP router based on his routing table( this one will perform the other nat translation)
As you might think on this scenario we might need to use NAT on the ASA or not, that just depends of our desing.
Regards,
Julio
Remember to rate all the helpful posts, that is as importan as a thanks.
08-30-2012 02:19 PM
Hi thanks for the response. Hope this helps
Inside-192.168.12.1--ASA-192.168.15.2--- Internet DMZ -192.168.15.1 -
The ASA has global Internet out NAT of 4.2.2.2 and the Default route for the ASA is 192.168.15.1 How does the FW translate a 192.168.12.1 address to 4.2.2.2 and how does it end up traversing the router? If the source is 4.2.2.2 once the router receives a packet back destined for 4.2.2.2 how would it know the source is actually the ASA if the ASA doesn't have a 4.2.2.0 address on an interface?
Hmmm not sure if that is any clearer
Sent from Cisco Technical Support iPad App
08-30-2012 03:19 PM
Hello Jesus,
Sure I understand your query now.
This is because of the amazing Proxy-Arp feature and gratitious Arp This allows the ASA to let the other devices know he has X ip address.
So the other devices will send the traffic to it's interface Mac Address.
So in the scenario you draw the ASA is going to say to router I am 4.2.2.2, please send me the packets to my outside interface MAC address even if no one has asked. Then the router will learn that and place it on it's arp table.
Remember to rate all the posts
Regards,
Julio
CCSP
09-07-2012 08:13 AM
Thanks a million, this has been bugging me for a while. So even if the router has a local subnet on the 4.2.2.0 network it will still send a packet through to it's internal network 192.168.15.0 because there is a device advertising it has ip 4.2.2.2?
Many thanks. Apologies in getting back
How do I rate a post?
09-07-2012 09:34 AM
Hello Jesus,
That is correct
To rate a post just hit the stars on bellow each post, the more helpful the post is, the more stars you give.
Regards,
Also if there is no other question you can make you can change the status of the question to an answered status.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide