Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
252
Views
0
Helpful
1
Replies

NAT in several stages

Go to solution
turbo_engine26
Level 4
Level 4

‎08-28-2006 11:22 PM - edited ‎03-09-2019 04:02 PM

Dear All,

Good Day,

I have two firewall stages. First stage includes two Cisco PIX 525 configured as failover A/S. Second stage includes two symantec gateway security 5440 configured as Load-Balancing. Actually,my ISP did not give me enough public IP's in order to give it to the outside interfaces of the PIX. So,i did give the outside interfaces private ip addresses (192.168.1.x) and then i do the NAT in the router. As a result,i end up with 3 stages NAT in order to make users see the internet. Check the following NAT stages:

Symantec Stage 1: 10.0.0.0 (inside users) ----> NAT ----> 172.16.1.11 (outside symantec).

PIX Stage 2: 172.16.1.11 ----> NAT ---> 192.168.1.11 (outside PIX)

Router Stage 3: 192.168.1.11 ---> NAT--->range 195.43.x.x-195.43.x.x (router's nat pool).

Users see the internet well but a lot of times the internet lost then back again then lost then back again.

My question is : is it wrong to NAT many times from private ip to private ip till it reaches the real ip pool in the router?

I'll appreciate your fast response.

Regards,

Turbo

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mmorris11
Level 4
Level 4

‎08-29-2006 04:50 AM

I don't want to make a moral issue out of this so I won't say it's "wrong" but certainly hard to support and troubleshoot. I am not sure what you are achieving with using the Symantec and PIX in series like that but a more convential approach would be:

RFC1918 LAN--->inside(firewall)outside public IP range--->router--> x.x.x.x/30 to provider

It may be the peculiar habit or your ISP to not provide what AT&T/SBCIS refers to as a "WAN" subnet. This is a 30 bit subnet used only to connect your router to the adjacent ISP router and your public IP range (/24, /25, /28, whatever) is routed on the inside of your router so that your firewall(s) can be addressed with those IPs.

HTH

View solution in original post

0 Helpful
1 Reply 1

Go to solution
mmorris11
Level 4
Level 4

‎08-29-2006 04:50 AM

I don't want to make a moral issue out of this so I won't say it's "wrong" but certainly hard to support and troubleshoot. I am not sure what you are achieving with using the Symantec and PIX in series like that but a more convential approach would be:

RFC1918 LAN--->inside(firewall)outside public IP range--->router--> x.x.x.x/30 to provider

It may be the peculiar habit or your ISP to not provide what AT&T/SBCIS refers to as a "WAN" subnet. This is a 30 bit subnet used only to connect your router to the adjacent ISP router and your public IP range (/24, /25, /28, whatever) is routed on the inside of your router so that your firewall(s) can be addressed with those IPs.

HTH

0 Helpful
Customers Also Viewed These Support Documents