Wonder if someone can help me get my head around a NAT question. I understand how NAT works in a standard setup I.e the firewall or router has an interface with a public ip, but I have seen a global internet out statement on a firewall that sits in the Internet DMZ along side the Internet router which does have an interface in the public address space, that the global NAT on the firewall translates all internal clients to when accessing the Internet.
Can anyone explain how the NAT occurs if the firewall doesn't have a public address space assigned. If it receives a packet destined for the Internet and it translates it to a public the address how is it routed to the Internet firewall. The default route on the firewall is the private HSRP address of the internet routers running BGP
Inside-192.168.12.1--ASA-192.168.15.2--- Internet DMZ -192.168.15.1 -
The ASA has global Internet out NAT of 18.104.22.168 and the Default route for the ASA is 192.168.15.1 How does the FW translate a 192.168.12.1 address to 22.214.171.124 and how does it end up traversing the router? If the source is 126.96.36.199 once the router receives a packet back destined for 188.8.131.52 how would it know the source is actually the ASA if the ASA doesn't have a 184.108.40.206 address on an interface?
This is because of the amazing Proxy-Arp feature and gratitious Arp This allows the ASA to let the other devices know he has X ip address.
So the other devices will send the traffic to it's interface Mac Address.
So in the scenario you draw the ASA is going to say to router I am 220.127.116.11, please send me the packets to my outside interface MAC address even if no one has asked. Then the router will learn that and place it on it's arp table.
Remember to rate all the posts
Julio Carvajal Senior Network Security and Core Specialist CCIE #42930, 2xCCNP, JNCIP-SEC
Thanks a million, this has been bugging me for a while. So even if the router has a local subnet on the 18.104.22.168 network it will still send a packet through to it's internal network 192.168.15.0 because there is a device advertising it has ip 22.214.171.124?
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...