Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT in several stages

Dear All,

Good Day,

I have two firewall stages. First stage includes two Cisco PIX 525 configured as failover A/S. Second stage includes two symantec gateway security 5440 configured as Load-Balancing. Actually,my ISP did not give me enough public IP's in order to give it to the outside interfaces of the PIX. So,i did give the outside interfaces private ip addresses (192.168.1.x) and then i do the NAT in the router. As a result,i end up with 3 stages NAT in order to make users see the internet. Check the following NAT stages:

Symantec Stage 1: 10.0.0.0 (inside users) ----> NAT ----> 172.16.1.11 (outside symantec).

PIX Stage 2: 172.16.1.11 ----> NAT ---> 192.168.1.11 (outside PIX)

Router Stage 3: 192.168.1.11 ---> NAT--->range 195.43.x.x-195.43.x.x (router's nat pool).

Users see the internet well but a lot of times the internet lost then back again then lost then back again.

My question is : is it wrong to NAT many times from private ip to private ip till it reaches the real ip pool in the router?

I'll appreciate your fast response.

Regards,

Turbo

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: NAT in several stages

I don't want to make a moral issue out of this so I won't say it's "wrong" but certainly hard to support and troubleshoot. I am not sure what you are achieving with using the Symantec and PIX in series like that but a more convential approach would be:

RFC1918 LAN--->inside(firewall)outside public IP range--->router--> x.x.x.x/30 to provider

It may be the peculiar habit or your ISP to not provide what AT&T/SBCIS refers to as a "WAN" subnet. This is a 30 bit subnet used only to connect your router to the adjacent ISP router and your public IP range (/24, /25, /28, whatever) is routed on the inside of your router so that your firewall(s) can be addressed with those IPs.

HTH

1 REPLY
Silver

Re: NAT in several stages

I don't want to make a moral issue out of this so I won't say it's "wrong" but certainly hard to support and troubleshoot. I am not sure what you are achieving with using the Symantec and PIX in series like that but a more convential approach would be:

RFC1918 LAN--->inside(firewall)outside public IP range--->router--> x.x.x.x/30 to provider

It may be the peculiar habit or your ISP to not provide what AT&T/SBCIS refers to as a "WAN" subnet. This is a 30 bit subnet used only to connect your router to the adjacent ISP router and your public IP range (/24, /25, /28, whatever) is routed on the inside of your router so that your firewall(s) can be addressed with those IPs.

HTH

103
Views
0
Helpful
1
Replies