simple question on routers and firewalls( nat related)

I know cisco routers are capable of doing NAT, but is it normal to do NAT on cisco routers when you have multi-homed firewalls behind them? Seems like too much NAT.

example:


  WAN
     |
     |
Cisco Router
  192.168.1.1  
     |
     |
     |
 192.168.1.2
Firewall (NAT)
 192.168.2.2
     |
     |
     |
  Client (192.168.2.3)

thanks
dissolvedAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zerofieldCommented:
well, you can double nat and it'll work, but you're right in the respect that it does suck to do.  as long as you dont intend to connect to anything (easily at least) behind the mass nattage, you're ok.  if you do intend to actively maintain anything behind it, well, that'd be a pain.

On the other hand, I dont believe that what you are doing is neccessary either.  From your diagram, you'd just as well run a dhcp pool from the pix (or whatever firewall/nat that is in the drawing) or run a DHCP server on the same subnet as the 192.168.2.3 client, and assign a default gateway of the firewall - with the firewall configured to use the router should it be a pix or something else that'd allow for that.
0
lrmooreCommented:
There are sometimes good reasons to NAT in places other than on the primary Internet connection, but most often it is not necessary. The only time it is mandatory to NAT is going from a private IP to a public IP. Most often, the firewall will have a public IP, and the router will simply be providing the necessary T1 - Ethernet conversion (or whatever WAN link you have to Internet).
In your diagram, as long as the first router has a route back to the client subnet, you can do static nat directly from a public IP directly to client. For example, if you have an Exchange server at 192.168.2.22, and you want to NAT that on the Internet router to a public IP, then all you have to do is provide the appropriate nat statement on the Internet router.
  ip nat inside source static tcp 192.168.2.22 25 interface Serial0/0.1 25

The only requirement is that the local source 192.168.2.22 must be inside the network and must pass through the designated nat "inside" interface going out the nat "outside" interface of the Internet-connected router...

I see no reason in your instance that you would need to double-nat
0
dissolvedAuthor Commented:
If you have two interfaces on a host (such as my firewall) does it automatically do NAT? Do the interfaces HAVE to be in different networks? Or can they be in the same network (ie: 192.168.1.1 on one interface  192.168.1.2 on the other)
Maybe thats what I'm being lost on.

Maybe this diagram is more like it?

  T1
   |
Router            <----------No NAT
   
   |
192.168.2.1
FIREWALL        <-----------NAT
192.168.3.1
   |
   |
DMZ
   |
   |
192.168.3.2
FIREWALL         <----------NAT
192.168.1.2
   |
   |
exchange server 192.168.1.22

Say the exchange server was internal, but it still needs to receive email from internet users. I would open up port 25 on the firewalls inbound and outbound. I would then place a static NAT entry
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

dissolvedAuthor Commented:
...continued.....but where would the static NAT entry be placed?
0
lrmooreCommented:
In this instance, the 2nd Firewall does not necessarily have to be doing NAT, and the first firewall is doing all the NAT to the public IP addresses (assuming 192.168.2.x to be placeholder for public IP)
  Firewall #1 nat public ip 192.168.2.22 to private IP 192.168.1.22
If no nat is taking place on Firewall #2, then it is simply routed, firwall #2 permitting smtp from "any" to the real IP 192.168.1.22

Example:
R1 = Internet connected router, no NAT
R1
  Interface Serial 0
    descript Internet link
    ip address 1.2.3.5 255.255.255.252
  Interface Ethernet 0
    descript x-connect to Firewall
    ip address 12.34.56.7 2552.55.255.240
ip route 0.0.0.0 0.0.0.0 1.2.3.6
-----------------------------------------------------
R2 = Firewall#1 (since you said you don't have "real" firewall yet)
    Interface Ethernet 0
      descript x-connect to R1
      ip address 12.34.56.8 255.255.255.240
      ip access-group 101 in
      ip nat outside
    Internet Ethernet 1
      descript DMZ
       ip address 192.168.3.1 255.255.255.0
       ip nat inside
   
    ip route 0.0.0.0 0.0.0.0 12.34.56.7
    ip route 192.168.1.0 255.255.255.0 192.168.3.2
   access-list 101 permit tcp any host 12.34.56.9 eq 25
   access-list 101 permit tcp any host 12.34.56.9 eq 80
   access-list 101 permit tcp any any established
   access-list 101 permit udp any eq domain any
    ip nat inside source static tcp 192.168.1.22 25 12.34.56.9 25
    ip nat inside source static tcp 192.168.3.22 80 12.34.56.9 80
------------------------------------------------------
R3 = Firewall #2 - No NAT
   Interface Ethernet 0
     descrip DMZ interface
     ip address 192.168.3.2 255.255.255.0
     ip access-group 101 in

   Interface Ethernet 1
     descrip Local LAN Active Directory/Exchange
      ip address 192.168.1.1 255.255.255.0
   
   access-list 101 permit tcp any host 192.168.1.22 eq smtp
   access-list 101 permit udp any eq domain any
   access-list 101 permit tcp any any established

  ip route 0.0.0.0 0.0.0.0 192.168.3.1

---------------------------

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dissolvedAuthor Commented:
I see where I'm confused now.
NAT only occurs when translating public to private vice versa


I was under the assumption that anytime you connect two networks together (even using private IPs), that  NAT occured. example:   s0 on Router1= 192.168.2.1 and  e0 on Router1 = 192.168.3.1.  I thought THAT was NAT. But in essence, it's just "routing."  

 Now if s0 on Router1-12.8.4.4   and   e0  on Router1 = 192.168.1.1  then THAT would be NAT.  Is that correct lrmoore?

Yikes, sorry for the dumb question (sometimes I surprise myself lol).


0
lrmooreCommented:
Like I said, you only HAVE to nat between public and private. You CAN and may have to NAT from private-to-private as in your other question with the Cable Modem only being capable of natting to the local LAN, so your next-hop router also has to NAT a remote IP to appear as a local IP to the Cable modem.

NAT only occures when and where you explicitly tell it to. Nothing is automatic (except mostly on the low-end broadband routers where NAT is enabled by default)
0
dissolvedAuthor Commented:
so the general rule of thumb is

-no nat on router connected to T1
-nat on the 1st firewall  (public IP to private IP)
-to reach hosts that are buried deep in different lans (like my exchange server), use static NAT

is that correct?
thanks
0
rindiCommented:
What you have outlined in your example could be used as a DMZ (behind the cisco router), which doesn't need the same sort of security, or if you want to allow some users at your site internet connection but none to your lan (except, possibly if they use a VPN), and those users from behind the nat/firewall have full access to the lan and internet.

Also, NAT isn't necessarily the same as a firewall...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.