Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
314
Views
0
Helpful
3
Replies

Will NAT to another NAT device work?

oalexis
Level 1
Level 1

‎07-23-2003 09:45 AM - edited ‎03-09-2019 04:10 AM

Hi folks,

Here's the deal. I have a linksys firewall that connects to my cable modem. Behind that I have a wireless AP. Behind that AP I have a 1720 router with some ACLs acting as a secondary firewall. Thus creating some sort of DMZ. Problem is......... I have a web server and exchange server that I don't want to put in te DMZ. I Want to keep them behind the 1720. The linksys firewall can only NAT to the DMZ network. If I turn on NAT on the 1720, and make static NAT entries on the 1720 for mail and such then on the Linksys,make NAT entries for mail and web point to the 1720 DMZ interface. Will that work?

If so, any pointers?

Many thanks

Labels:
0 Helpful
3 Replies 3

smahbub
Level 6
Level 6

‎07-29-2003 11:41 AM

I think this should work. I haven't been able to locate a document to illustrate it though.

0 Helpful

oalexis
Level 1
Level 1
In response to smahbub

‎07-29-2003 11:46 AM

Thanks for responding. I know it will work. I saw an illustration of it on some web site... lost it though. If I find I'll point you to it. I might end up using something like Microsoft's ISA server.

Thanks

0 Helpful

jonathan.green
Level 1
Level 1

‎07-29-2003 01:49 PM

Sure, I've actually done this w/ 2 Pix 506E's and it does work just fine. Bottom line, an inexpensive workaround to not having to dump 4k+ on a 515E. The config does create a mock screened subnet or DMZ. Not really any tricks to it, just use statics, NAT & global on the internal Pix which destinate onto the "DMZ" private addresses. On the external firewall, use 1-1 NAT (or whatever it's called) for the "DMZ" Pix static mappings to the actual public IP's:

pix linksys

10.0.0.1 <--> 192.168.0.1 <--> public IP

Only drawbacks I can think of are performance related - w/ ingress/egress filtering on both units, an extra network hop, two layers of nested NAT, two layers of IPSec overhead, & two layers of nested static mappings, the LAN users will notice a performance hit.

Also, the rulebase configs can get dicey. I configured VPN access to both, but on the external unit, you will need to open ports like 50/esp, 500/udp, to the internal Pix. Also, egress filtering on the external Pix I haven't gotten quite right yet w/o unexpectedly denying access to someone.

Best of luck.

-Jonathan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents