Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

global internetout

Hi all,

Wonder if someone can help me get my head around a NAT question. I understand how NAT works in a standard setup I.e the firewall or router has an interface with a public ip, but I have seen a global internet out statement on a firewall that sits in the Internet DMZ along side the Internet router which does have an interface in the public address space, that the global NAT on the firewall translates all internal clients to when accessing the Internet.

Can anyone explain how the NAT occurs if the firewall doesn't have a public address space assigned. If it receives a packet destined for the Internet and it translates it to a public the address how is it routed to the Internet firewall. The default route on the firewall is the private HSRP address of the internet routers running BGP

Any help appreciated - thanks

Sent from Cisco Technical Support iPad App

1 ACCEPTED SOLUTION

Accepted Solutions

Re: global internetout

Hello Jesus,

That is correct

To rate a post just hit the stars on bellow each post, the more helpful the post is, the more stars you give.

Regards,

Also if there is no other question you can make you can change the status of the question to an answered status.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
5 REPLIES

global internetout

Hello Jesus Calero,

I am not sure if I understood your question but here is what I think.

Nat is not only used in order to allow private Ip addresses to access the internet.

The also are used to hide the private range Ip address ( Security Purposes) among other functions.

Now the NAT is in charge of just changing the Source or destination information on the Ip header or the port numbers on the TCP or UDP header.

Inside-192.168.12.1----ASA---192.168.15.0 Outside-----ISP Router----4.2.2.0

As you can see on the above example the ASA has 2 different broadcast domains and those belong to a private range.

Now if the ASA wants to go to the internet he will need to send the traffic to the ISP router  based on his routing table( this one will perform the other nat translation)

As you might think on this scenario we might need to use NAT on the ASA or not, that just depends of our desing.

Regards,

Julio

Remember to rate all the helpful posts, that is as importan as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re: global internetout

Hi thanks for the response. Hope this helps

Inside-192.168.12.1--ASA-192.168.15.2--- Internet DMZ -192.168.15.1 -


ISP Router--4.2.2.1

The ASA has global Internet out NAT of 4.2.2.2 and the Default route for the ASA is 192.168.15.1 How does the FW translate a 192.168.12.1 address to 4.2.2.2 and how does it end up traversing the router? If the source is 4.2.2.2 once the router receives a packet back destined for 4.2.2.2 how would it know the source is actually the ASA if the ASA doesn't have a 4.2.2.0 address on an interface?

Hmmm not sure if that is any clearer

Sent from Cisco Technical Support iPad App

Re: global internetout

Hello Jesus,

Sure I understand your query now.

This is because of the amazing Proxy-Arp feature and gratitious Arp This allows the ASA to let the other devices know he has X ip address.

So the other devices will send the traffic to it's interface Mac Address.

So in the scenario you draw the ASA is going to say to router I am 4.2.2.2, please send me the packets to my outside interface MAC address even if no one has asked. Then the router will learn that and place it on it's arp table.

Remember to rate all the posts


Regards,

Julio

CCSP

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re: global internetout

Thanks a million, this has been bugging me for a while.  So even if the router has a local subnet on the 4.2.2.0 network it will still send a packet through to it's internal network 192.168.15.0 because there is a device advertising it has ip 4.2.2.2?

Many thanks.  Apologies in getting back

How do I rate a post?

Re: global internetout

Hello Jesus,

That is correct

To rate a post just hit the stars on bellow each post, the more helpful the post is, the more stars you give.

Regards,

Also if there is no other question you can make you can change the status of the question to an answered status.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
289
Views
0
Helpful
5
Replies
CreatePlease to create content