apscnjohnnie
asked on
Removing Double NAT (Router-Stub-PIX) using Only PIX to NAT
I have been searching through these archives for about a week and someone has come close to answering my question in one of the posts but since it was not the same question it was only touched on.
Currently I have this setup T-1 WAN (12.12.12.1/27 Subnet) to 3725 Edge router S0/0.1 IP 12.12.12.1. I am performing NAT on the inside stub net to the pix. The stub has a net id 192.168.254.240/28. The ins int on the 3725 has ip 192.168.254.254 and the outside int of the pix ethernet0 192.168.254.253. I use static nat for http, https, smtp, and some others. 2 ports nat to a dmz web and smtp relay server, the rest nat inside to the pix inside interface subnet. All this double nat causes me much confusing. i have got it down pretty well except that rdns do not work becuase I must have the smtp and web server going out the global nat ip instead of it's own static. My ISP originally asked that I assign 12.12.12.1 to the Fa0/0 interface of my router and on the serial T-1 connection use the following config. Can I do this and take off nat on the stub and just nat on my pix for my dmz and inside interface and provide myself with some better performance?
interface Serial 0/0
description To UUNET (u133034)
bandwidth 1536
encapsulation frame-relay IETF
frame-relay lmi-type ansi
no ip address
no shutdown
no fair-queue
!
interface Serial 0/0.1 point-to-point
ip unnumbered FastEthernet0/0
frame-relay interface-dlci 500 IETF
bandwidth 1536
no shutdown
!
ip route 0.0.0.0 0.0.0.0 Serial 0/0.1
Currently I have this setup T-1 WAN (12.12.12.1/27 Subnet) to 3725 Edge router S0/0.1 IP 12.12.12.1. I am performing NAT on the inside stub net to the pix. The stub has a net id 192.168.254.240/28. The ins int on the 3725 has ip 192.168.254.254 and the outside int of the pix ethernet0 192.168.254.253. I use static nat for http, https, smtp, and some others. 2 ports nat to a dmz web and smtp relay server, the rest nat inside to the pix inside interface subnet. All this double nat causes me much confusing. i have got it down pretty well except that rdns do not work becuase I must have the smtp and web server going out the global nat ip instead of it's own static. My ISP originally asked that I assign 12.12.12.1 to the Fa0/0 interface of my router and on the serial T-1 connection use the following config. Can I do this and take off nat on the stub and just nat on my pix for my dmz and inside interface and provide myself with some better performance?
interface Serial 0/0
description To UUNET (u133034)
bandwidth 1536
encapsulation frame-relay IETF
frame-relay lmi-type ansi
no ip address
no shutdown
no fair-queue
!
interface Serial 0/0.1 point-to-point
ip unnumbered FastEthernet0/0
frame-relay interface-dlci 500 IETF
bandwidth 1536
no shutdown
!
ip route 0.0.0.0 0.0.0.0 Serial 0/0.1
>Can I do this and take off nat on the stub and just nat on my pix for my dmz and inside interface and provide myself with some better performance?
Good thinking. Router was designed from ground up to pass packets as fast as it can to the correct interface. Firewall was designed ground up to do things like NAT and packet filtering.
Yes the config will work and is most typical, but you can always ask the telco for a "/30" IP address for your wan interface and be that much more efficient. Something like this:
interface Serial 0/0.1 point-to-point
ip address 153.65.77.2 255.255.255.252
interface fastEthernet0/1
ip address 12.12.12.1 255.255.255.224
ip route 0.0.0.0 0.0.0.0 153.65.77.1
PIX outside IP - 12.12.12.2
The rest of your 12.12.12.x subnet can be used as static or dynamic NAT xlates right on the pix.
Good thinking. Router was designed from ground up to pass packets as fast as it can to the correct interface. Firewall was designed ground up to do things like NAT and packet filtering.
Yes the config will work and is most typical, but you can always ask the telco for a "/30" IP address for your wan interface and be that much more efficient. Something like this:
interface Serial 0/0.1 point-to-point
ip address 153.65.77.2 255.255.255.252
interface fastEthernet0/1
ip address 12.12.12.1 255.255.255.224
ip route 0.0.0.0 0.0.0.0 153.65.77.1
PIX outside IP - 12.12.12.2
The rest of your 12.12.12.x subnet can be used as static or dynamic NAT xlates right on the pix.
ASKER
lrmoore, thanks for the reply I dug deeper into ip unnumbered and this is Cisco disadvantage list on using ip unnumbered: "The only real disadvantage that the unnumbered interface suffers from is that it is unavailable for remote testing and management" Now if I place what used to be my access-group on the s0/0.1 now to the fe0/1 interface I should still be able to utilize my access-group to monitor and all management only it would be on the inside interface correct?
access-list 105 remark T1 Outside In
access-list 105 remark Permit MCI ICMP
access-list 105 permit icmp host 153.39.50.6 any
access-list 105 permit icmp host 153.39.57.136 any
access-list 105 permit icmp host 153.39.57.196 any
access-list 105 permit icmp host 153.39.129.196 any
access-list 105 permit icmp host 153.39.129.230 any
access-list 105 permit icmp host 153.39.129.30 any
access-list 105 permit icmp host 153.39.201.154 any
access-list 105 permit icmp host 153.39.201.213 any
access-list 105 permit icmp 199.171.54.0 0.0.0.255 any
access-list 105 remark The next IP is the MCI loopback
access-list 105 permit icmp host 137.39.7.198 any
access-list 105 remark Permit Remote Sites ICMP
access-list 105 permit icmp host 13.13.13.1 any
access-list 105 permit icmp host 14.14.14.1 any
access-list 105 deny icmp any any log
access-list 105 remark T1 outside in
access-list 105 deny tcp any host 12.12.12.1 eq www log
access-list 105 deny tcp any host 12.12.12.1 eq 443 log
access-list 105 deny tcp any host 12.12.12.1 eq cmd log
access-list 105 remark Deny NTP request outside
access-list 105 deny udp any any eq ntp log
access-list 105 permit ip any any
access-list 105 remark T1 Outside In
access-list 105 remark Permit MCI ICMP
access-list 105 permit icmp host 153.39.50.6 any
access-list 105 permit icmp host 153.39.57.136 any
access-list 105 permit icmp host 153.39.57.196 any
access-list 105 permit icmp host 153.39.129.196 any
access-list 105 permit icmp host 153.39.129.230 any
access-list 105 permit icmp host 153.39.129.30 any
access-list 105 permit icmp host 153.39.201.154 any
access-list 105 permit icmp host 153.39.201.213 any
access-list 105 permit icmp 199.171.54.0 0.0.0.255 any
access-list 105 remark The next IP is the MCI loopback
access-list 105 permit icmp host 137.39.7.198 any
access-list 105 remark Permit Remote Sites ICMP
access-list 105 permit icmp host 13.13.13.1 any
access-list 105 permit icmp host 14.14.14.1 any
access-list 105 deny icmp any any log
access-list 105 remark T1 outside in
access-list 105 deny tcp any host 12.12.12.1 eq www log
access-list 105 deny tcp any host 12.12.12.1 eq 443 log
access-list 105 deny tcp any host 12.12.12.1 eq cmd log
access-list 105 remark Deny NTP request outside
access-list 105 deny udp any any eq ntp log
access-list 105 permit ip any any
ASKER
ps. I am going to ask for a small routing subnet with a /30 subnet for my serial int
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a mil, not only did you help me with the ip unnumbered issue but in looking at the acl you have uncovered some performance and effectiveness weaknesses in my router's acl's I am going to putting into effect your suggestions today. My ISP has aggreed to giving me the small subnet so all I need to do is follow your lead on your first comment with no need to adjust but just a few items to kick that mode off. Once again thanks for your assistance. I wanted an answer fast which is why I offered up 500 (tired of researching and gotta finish up tonight) and you justly deserved that.
Thanks!
Post a new Q if you run into any problems..
Post a new Q if you run into any problems..
>$FW_OUTSIDE$
This entry appears to be from SDM GUI interface that comes with security/Firewall features. Do you have the firewall feature set? Do you have the inspect rules set up?
This entry appears to be from SDM GUI interface that comes with security/Firewall features. Do you have the firewall feature set? Do you have the inspect rules set up?
ASKER
It doesn't support SSH it was just suppose to come as a router with no bundles. Just lot's of memory (128mbyte and a 240mhz processor) don't have any inspect rules. my config will be in the next opened question. I'll open up another question subject "Proper ACL config on edge router to improve performance"
ASKER
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
ip cef
no ip bootp server
no ip domain lookup
no ftp-server write-enable
!
!
!
!
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
interface Null0
no ip unreachables
!
interface Serial0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation frame-relay
ip route-cache flow
!
interface Serial0/0.1 point-to-point
description $FW_OUTSIDE$Outside to T1 Interface
ip address 12.12.12.1 255.255.255.224
ip access-group 105 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable
frame-relay interface-dlci 500 IETF
!
interface FastEthernet0/1
description $FW_INSIDE$$ETH-LAN$Stub LAN to PIX515E
ip address 192.168.254.254 255.255.255.240
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled