Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Double Natting/Patting

I have some requirement as described in the attached diagram.

I want your feedback on whether the solution proposed will work for the stated requirement..

I do not have test devices to test this nor i can experiment in production devices.. So your opinion on this solution will be appreciated..

If you feel, this solution will not work or if you have a more elegant solution, please suggest.

Btw, Host A will never initiate session to Host B. Always Host B will initiate the session to Host A

PS - Please dont mind those shapes of PIX and routers.. I had them drawn by my lovely Daughter .. :-)

7 REPLIES
New Member

Re: Double Natting/Patting

I have corrected some details on the attachment..

Re: Double Natting/Patting

Hi,

You have mentioned that only Host B is going to initiate a session to Host A.

Your conditions.

1) B should see A as 10.10.10.200

2) A should see B as 172.32.1.2

Hence the flow will be as follows

Step 1

******

B will send a packet to A, in this packet, the destination of A will be 10.10.10.200

Step 2

******

This packet will traverse the ASA from outside to inside, so a static NAT should be configured in the ASA to translate the destination address to the original address of A.

Static ( inside, outside) 10.10.10.200 172.16.1.23 netmask 255.255.255.255

This is correct.

Step3

*****

This packet will now hit the inside interface of the PIX.

Here the source ip will be 172.16.7.5( Original address of Host B) and the destination ip will be 172.16.1.23

Now this PIX needs to translate the source ip of this packet to 172.32.1.2

Hence here also you need to have a static nat configured as follows

static ( inside, outside) 172.32.1.2 172.16.7.5 netmask 255.255.255.255

Only then PIX will translate the source ip from 172.16.7.5 to 172.32.1.2

If you configure PAT in this PIX, it will only alter the destination ip, not the source ip. But what we want acheive at this stage is translate the source ip of B.

As host A is residing in the outside segment of PIX, Host A cannot initiate a session to B unless you have a explicit ACL in the PIX. By default traffic from outside to inside segment will be blocked in PIX.

Hope this clarifies the concepts involved in your requirement.

Rate the post if you find them helpful.

-VJ

Re: Double Natting/Patting

Hi,

Just noticed your correction post after my update. As i haven't saved the previous attachment, i couldn't notice any change in the diagram from the inputs that i assumed.

Refer to my comments above in the previous post and get back to us for further clarifications.

HTH

-VJ

New Member

Re: Double Natting/Patting

Hi VJ, thanks for ur response..

I disagree with you on Step 3..

PAT will never change the destination, it would change the source.

Btw, there is no requirement to initiate traffic from host A. So, no ACL is required on outside i/f of PIX.

I was more concerned about the static on ASA, as i was using any internal IP to NAT from outside.. but i am convinced now, that this will work.. I was getting confused with Bidir NAT earlier to address the Overlapping address space with 172.16.x.x between customer A & B.

Another point to note here is traffic between My site and Customer B is via VPN over internet.. I hope that shouldnt make any difference..

Let me know if u disagree..

Re: Double Natting/Patting

Hi,

Oops. i messed it.

Thanks for correcting me.

You are correct.

-VJ

New Member

Re: Double Natting/Patting

Venkat,

Let me know if you could get this to work.

Regards,

Mohan

New Member

Re: Double Natting/Patting

Yes, Mohan.. It worked..!

387
Views
0
Helpful
7
Replies