?
Solved

simple question on routers and firewalls( nat related)

Posted on 2004-11-29
9
Medium Priority
?
707 Views
Last Modified: 2013-11-16
I know cisco routers are capable of doing NAT, but is it normal to do NAT on cisco routers when you have multi-homed firewalls behind them? Seems like too much NAT.

example:


  WAN
     |
     |
Cisco Router
  192.168.1.1  
     |
     |
     |
 192.168.1.2
Firewall (NAT)
 192.168.2.2
     |
     |
     |
  Client (192.168.2.3)

thanks
0
Comment
Question by:dissolved
9 Comments
 
LVL 5

Assisted Solution

by:zerofield
zerofield earned 400 total points
ID: 12699721
well, you can double nat and it'll work, but you're right in the respect that it does suck to do.  as long as you dont intend to connect to anything (easily at least) behind the mass nattage, you're ok.  if you do intend to actively maintain anything behind it, well, that'd be a pain.

On the other hand, I dont believe that what you are doing is neccessary either.  From your diagram, you'd just as well run a dhcp pool from the pix (or whatever firewall/nat that is in the drawing) or run a DHCP server on the same subnet as the 192.168.2.3 client, and assign a default gateway of the firewall - with the firewall configured to use the router should it be a pix or something else that'd allow for that.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12699897
There are sometimes good reasons to NAT in places other than on the primary Internet connection, but most often it is not necessary. The only time it is mandatory to NAT is going from a private IP to a public IP. Most often, the firewall will have a public IP, and the router will simply be providing the necessary T1 - Ethernet conversion (or whatever WAN link you have to Internet).
In your diagram, as long as the first router has a route back to the client subnet, you can do static nat directly from a public IP directly to client. For example, if you have an Exchange server at 192.168.2.22, and you want to NAT that on the Internet router to a public IP, then all you have to do is provide the appropriate nat statement on the Internet router.
  ip nat inside source static tcp 192.168.2.22 25 interface Serial0/0.1 25

The only requirement is that the local source 192.168.2.22 must be inside the network and must pass through the designated nat "inside" interface going out the nat "outside" interface of the Internet-connected router...

I see no reason in your instance that you would need to double-nat
0
 

Author Comment

by:dissolved
ID: 12700076
If you have two interfaces on a host (such as my firewall) does it automatically do NAT? Do the interfaces HAVE to be in different networks? Or can they be in the same network (ie: 192.168.1.1 on one interface  192.168.1.2 on the other)
Maybe thats what I'm being lost on.

Maybe this diagram is more like it?

  T1
   |
Router            <----------No NAT
   
   |
192.168.2.1
FIREWALL        <-----------NAT
192.168.3.1
   |
   |
DMZ
   |
   |
192.168.3.2
FIREWALL         <----------NAT
192.168.1.2
   |
   |
exchange server 192.168.1.22

Say the exchange server was internal, but it still needs to receive email from internet users. I would open up port 25 on the firewalls inbound and outbound. I would then place a static NAT entry
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:dissolved
ID: 12700084
...continued.....but where would the static NAT entry be placed?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1400 total points
ID: 12700223
In this instance, the 2nd Firewall does not necessarily have to be doing NAT, and the first firewall is doing all the NAT to the public IP addresses (assuming 192.168.2.x to be placeholder for public IP)
  Firewall #1 nat public ip 192.168.2.22 to private IP 192.168.1.22
If no nat is taking place on Firewall #2, then it is simply routed, firwall #2 permitting smtp from "any" to the real IP 192.168.1.22

Example:
R1 = Internet connected router, no NAT
R1
  Interface Serial 0
    descript Internet link
    ip address 1.2.3.5 255.255.255.252
  Interface Ethernet 0
    descript x-connect to Firewall
    ip address 12.34.56.7 2552.55.255.240
ip route 0.0.0.0 0.0.0.0 1.2.3.6
-----------------------------------------------------
R2 = Firewall#1 (since you said you don't have "real" firewall yet)
    Interface Ethernet 0
      descript x-connect to R1
      ip address 12.34.56.8 255.255.255.240
      ip access-group 101 in
      ip nat outside
    Internet Ethernet 1
      descript DMZ
       ip address 192.168.3.1 255.255.255.0
       ip nat inside
   
    ip route 0.0.0.0 0.0.0.0 12.34.56.7
    ip route 192.168.1.0 255.255.255.0 192.168.3.2
   access-list 101 permit tcp any host 12.34.56.9 eq 25
   access-list 101 permit tcp any host 12.34.56.9 eq 80
   access-list 101 permit tcp any any established
   access-list 101 permit udp any eq domain any
    ip nat inside source static tcp 192.168.1.22 25 12.34.56.9 25
    ip nat inside source static tcp 192.168.3.22 80 12.34.56.9 80
------------------------------------------------------
R3 = Firewall #2 - No NAT
   Interface Ethernet 0
     descrip DMZ interface
     ip address 192.168.3.2 255.255.255.0
     ip access-group 101 in

   Interface Ethernet 1
     descrip Local LAN Active Directory/Exchange
      ip address 192.168.1.1 255.255.255.0
   
   access-list 101 permit tcp any host 192.168.1.22 eq smtp
   access-list 101 permit udp any eq domain any
   access-list 101 permit tcp any any established

  ip route 0.0.0.0 0.0.0.0 192.168.3.1

---------------------------

0
 

Author Comment

by:dissolved
ID: 12701193
I see where I'm confused now.
NAT only occurs when translating public to private vice versa


I was under the assumption that anytime you connect two networks together (even using private IPs), that  NAT occured. example:   s0 on Router1= 192.168.2.1 and  e0 on Router1 = 192.168.3.1.  I thought THAT was NAT. But in essence, it's just "routing."  

 Now if s0 on Router1-12.8.4.4   and   e0  on Router1 = 192.168.1.1  then THAT would be NAT.  Is that correct lrmoore?

Yikes, sorry for the dumb question (sometimes I surprise myself lol).


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12701249
Like I said, you only HAVE to nat between public and private. You CAN and may have to NAT from private-to-private as in your other question with the Cable Modem only being capable of natting to the local LAN, so your next-hop router also has to NAT a remote IP to appear as a local IP to the Cable modem.

NAT only occures when and where you explicitly tell it to. Nothing is automatic (except mostly on the low-end broadband routers where NAT is enabled by default)
0
 

Author Comment

by:dissolved
ID: 12701788
so the general rule of thumb is

-no nat on router connected to T1
-nat on the 1st firewall  (public IP to private IP)
-to reach hosts that are buried deep in different lans (like my exchange server), use static NAT

is that correct?
thanks
0
 
LVL 88

Assisted Solution

by:rindi
rindi earned 200 total points
ID: 12703027
What you have outlined in your example could be used as a DMZ (behind the cisco router), which doesn't need the same sort of security, or if you want to allow some users at your site internet connection but none to your lan (except, possibly if they use a VPN), and those users from behind the nat/firewall have full access to the lan and internet.

Also, NAT isn't necessarily the same as a firewall...
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question