NAT Question ....

Discussion in 'Cisco' started by K.J. 44, Aug 29, 2006.

  1. K.J. 44

    K.J. 44 Guest

    Hi,

    I have a router which is connected to a firewall. Here is
    where I want the NAT and VPNs to terminate. I am having trouble
    figuring out how to set this up.

    If I have NAT at the firewall then information has to get from the
    router to the firewall for the NAT translation. Does this mean I have
    to have public IPs between the router and the firewall?

    I have 5 IP addresses to work with from my carrier but I don't want to
    hastily use them. How can I get information to get passed from the
    router to the firewall and how should I address?

    Internet ---> (public IP) router (private IP) ------- (private IP)
    Firewall doing NAT and terminating VPNs (private IP) ------ LAN

    Is there a way to successfully set up the above schema? If I can do
    that, then I will have IP Addresses left over to do a static NAT for my
    email server. That way, I can do PAT with one address for all traffic
    except the mail server traffic which will have a static NAT translation
    to a second public address.

    I guess if I can't do that, then I can subnet my block of 5 addresses
    so my outer address is configured as a point to point with my gateway
    address at my carrier and then use the other addresses as a point to
    point subnet between my router and firewall using the rest of the
    public addresses.

    Then the MX record would reflect my outer address of my firewall right?
    THen I wouldn't have any addresses left to be able to create a static
    NAT for my email server though. (I would use all of them creating the
    public point to point between my router and firewall and so all traffic
    from the inside would have to be translated using just one public
    address).

    Still confused at how to proceed.

    Help greatly appreciated. Thank you.
     
    K.J. 44, Aug 29, 2006
    #1
    1. Advertising

  2. K.J. 44

    Chad Mahoney Guest

    K.J. 44 wrote:
    > Hi,
    >
    > I have a router which is connected to a firewall. Here is
    > where I want the NAT and VPNs to terminate. I am having trouble
    > figuring out how to set this up.
    >
    > If I have NAT at the firewall then information has to get from the
    > router to the firewall for the NAT translation. Does this mean I have
    > to have public IPs between the router and the firewall?
    >
    > I have 5 IP addresses to work with from my carrier but I don't want to
    > hastily use them. How can I get information to get passed from the
    > router to the firewall and how should I address?
    >
    > Internet ---> (public IP) router (private IP) ------- (private IP)
    > Firewall doing NAT and terminating VPNs (private IP) ------ LAN
    >
    > Is there a way to successfully set up the above schema? If I can do
    > that, then I will have IP Addresses left over to do a static NAT for my
    > email server. That way, I can do PAT with one address for all traffic
    > except the mail server traffic which will have a static NAT translation
    > to a second public address.
    >
    > I guess if I can't do that, then I can subnet my block of 5 addresses
    > so my outer address is configured as a point to point with my gateway
    > address at my carrier and then use the other addresses as a point to
    > point subnet between my router and firewall using the rest of the
    > public addresses.
    >
    > Then the MX record would reflect my outer address of my firewall right?
    > THen I wouldn't have any addresses left to be able to create a static
    > NAT for my email server though. (I would use all of them creating the
    > public point to point between my router and firewall and so all traffic
    > from the inside would have to be translated using just one public
    > address).
    >
    > Still confused at how to proceed.
    >
    > Help greatly appreciated. Thank you.


    You would be using 2 public IP address for the router and the ASA. the
    ASA would know the subnet of IP address based on the external interface
    setup. so for example

    router fast thernet0/0 would have 1.1.1.1/29 external IP address
    ASA external interface would have 1.1.1.2/29
    Then you could NAT 1.1.1.3-1.1.1.5/29 through the ASA to internal
    systems on the private LAN.
     
    Chad Mahoney, Aug 30, 2006
    #2
    1. Advertising

  3. K.J. 44

    K.J. 44 Guest

    If I did that then I would have a public IP address on the outside of
    the router, and another public in the same subnet as the outside of the
    firewall, which is connected to the inside interface of the router...


    internet ----- 1.1.1.1 Router (inside interface) ------- 1.1.1.2
    Firewall (private LAN)

    Can I simply NAT to a public address and send it the rest of the way to
    through the private network and put a static route in the router? So
    something like this

    internet ----- 1.1.1.1 /30 ROUTER 10.1.1.1/30 -------- 10.1.1.2/30
    Firewall (private LAN)


    Than on the firewall have a translation:

    anything from the private LAN translate source address to 1.1.1.5
    anything from the mail server translate source address to 1.1.1.6

    Static route on the firewall:

    1.1.1.4 /30 go out inside interface

    Then have my MX record point to 1.1.1.6

    Would this work?

    Chad Mahoney wrote:
    > K.J. 44 wrote:
    > > Hi,
    > >
    > > I have a router which is connected to a firewall. Here is
    > > where I want the NAT and VPNs to terminate. I am having trouble
    > > figuring out how to set this up.
    > >
    > > If I have NAT at the firewall then information has to get from the
    > > router to the firewall for the NAT translation. Does this mean I have
    > > to have public IPs between the router and the firewall?
    > >
    > > I have 5 IP addresses to work with from my carrier but I don't want to
    > > hastily use them. How can I get information to get passed from the
    > > router to the firewall and how should I address?
    > >
    > > Internet ---> (public IP) router (private IP) ------- (private IP)
    > > Firewall doing NAT and terminating VPNs (private IP) ------ LAN
    > >
    > > Is there a way to successfully set up the above schema? If I can do
    > > that, then I will have IP Addresses left over to do a static NAT for my
    > > email server. That way, I can do PAT with one address for all traffic
    > > except the mail server traffic which will have a static NAT translation
    > > to a second public address.
    > >
    > > I guess if I can't do that, then I can subnet my block of 5 addresses
    > > so my outer address is configured as a point to point with my gateway
    > > address at my carrier and then use the other addresses as a point to
    > > point subnet between my router and firewall using the rest of the
    > > public addresses.
    > >
    > > Then the MX record would reflect my outer address of my firewall right?
    > > THen I wouldn't have any addresses left to be able to create a static
    > > NAT for my email server though. (I would use all of them creating the
    > > public point to point between my router and firewall and so all traffic
    > > from the inside would have to be translated using just one public
    > > address).
    > >
    > > Still confused at how to proceed.
    > >
    > > Help greatly appreciated. Thank you.

    >
    > You would be using 2 public IP address for the router and the ASA. the
    > ASA would know the subnet of IP address based on the external interface
    > setup. so for example
    >
    > router fast thernet0/0 would have 1.1.1.1/29 external IP address
    > ASA external interface would have 1.1.1.2/29
    > Then you could NAT 1.1.1.3-1.1.1.5/29 through the ASA to internal
    > systems on the private LAN.
     
    K.J. 44, Aug 31, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Al Dykes
    Replies:
    8
    Views:
    598
    Walter Roberson
    Oct 29, 2003
  2. JCVD
    Replies:
    1
    Views:
    470
    Martin Gallagher
    Feb 13, 2004
  3. Anonymous Poster
    Replies:
    0
    Views:
    10,639
    Anonymous Poster
    Apr 26, 2004
  4. Kenny D

    Identity Nat v Exemption NAT

    Kenny D, May 8, 2004, in forum: Cisco
    Replies:
    1
    Views:
    4,017
    Walter Roberson
    May 8, 2004
  5. Sri
    Replies:
    0
    Views:
    466
Loading...

Share This Page