08-28-2006 11:22 PM - edited 03-09-2019 04:02 PM
Dear All,
Good Day,
I have two firewall stages. First stage includes two Cisco PIX 525 configured as failover A/S. Second stage includes two symantec gateway security 5440 configured as Load-Balancing. Actually,my ISP did not give me enough public IP's in order to give it to the outside interfaces of the PIX. So,i did give the outside interfaces private ip addresses (192.168.1.x) and then i do the NAT in the router. As a result,i end up with 3 stages NAT in order to make users see the internet. Check the following NAT stages:
Symantec Stage 1: 10.0.0.0 (inside users) ----> NAT ----> 172.16.1.11 (outside symantec).
PIX Stage 2: 172.16.1.11 ----> NAT ---> 192.168.1.11 (outside PIX)
Router Stage 3: 192.168.1.11 ---> NAT--->range 195.43.x.x-195.43.x.x (router's nat pool).
Users see the internet well but a lot of times the internet lost then back again then lost then back again.
My question is : is it wrong to NAT many times from private ip to private ip till it reaches the real ip pool in the router?
I'll appreciate your fast response.
Regards,
Turbo
Solved! Go to Solution.
08-29-2006 04:50 AM
I don't want to make a moral issue out of this so I won't say it's "wrong" but certainly hard to support and troubleshoot. I am not sure what you are achieving with using the Symantec and PIX in series like that but a more convential approach would be:
RFC1918 LAN--->inside(firewall)outside public IP range--->router--> x.x.x.x/30 to provider
It may be the peculiar habit or your ISP to not provide what AT&T/SBCIS refers to as a "WAN" subnet. This is a 30 bit subnet used only to connect your router to the adjacent ISP router and your public IP range (/24, /25, /28, whatever) is routed on the inside of your router so that your firewall(s) can be addressed with those IPs.
HTH
08-29-2006 04:50 AM
I don't want to make a moral issue out of this so I won't say it's "wrong" but certainly hard to support and troubleshoot. I am not sure what you are achieving with using the Symantec and PIX in series like that but a more convential approach would be:
RFC1918 LAN--->inside(firewall)outside public IP range--->router--> x.x.x.x/30 to provider
It may be the peculiar habit or your ISP to not provide what AT&T/SBCIS refers to as a "WAN" subnet. This is a 30 bit subnet used only to connect your router to the adjacent ISP router and your public IP range (/24, /25, /28, whatever) is routed on the inside of your router so that your firewall(s) can be addressed with those IPs.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide