Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Will NAT to another NAT device work?

Hi folks,

Here's the deal. I have a linksys firewall that connects to my cable modem. Behind that I have a wireless AP. Behind that AP I have a 1720 router with some ACLs acting as a secondary firewall. Thus creating some sort of DMZ. Problem is......... I have a web server and exchange server that I don't want to put in te DMZ. I Want to keep them behind the 1720. The linksys firewall can only NAT to the DMZ network. If I turn on NAT on the 1720, and make static NAT entries on the 1720 for mail and such then on the Linksys,make NAT entries for mail and web point to the 1720 DMZ interface. Will that work?

If so, any pointers?

Many thanks


Re: Will NAT to another NAT device work?

I think this should work. I haven't been able to locate a document to illustrate it though.

New Member

Re: Will NAT to another NAT device work?

Thanks for responding. I know it will work. I saw an illustration of it on some web site... lost it though. If I find I'll point you to it. I might end up using something like Microsoft's ISA server.


New Member

Re: Will NAT to another NAT device work?

Sure, I've actually done this w/ 2 Pix 506E's and it does work just fine. Bottom line, an inexpensive workaround to not having to dump 4k+ on a 515E. The config does create a mock screened subnet or DMZ. Not really any tricks to it, just use statics, NAT & global on the internal Pix which destinate onto the "DMZ" private addresses. On the external firewall, use 1-1 NAT (or whatever it's called) for the "DMZ" Pix static mappings to the actual public IP's:

pix linksys <--> <--> public IP

Only drawbacks I can think of are performance related - w/ ingress/egress filtering on both units, an extra network hop, two layers of nested NAT, two layers of IPSec overhead, & two layers of nested static mappings, the LAN users will notice a performance hit.

Also, the rulebase configs can get dicey. I configured VPN access to both, but on the external unit, you will need to open ports like 50/esp, 500/udp, to the internal Pix. Also, egress filtering on the external Pix I haven't gotten quite right yet w/o unexpectedly denying access to someone.

Best of luck.


CreatePlease to create content