Removing Double NAT (Router-Stub-PIX) using Only PIX to NAT

I have been searching through these archives for about a week and someone has come close to answering my question in one of the posts but since it was not the same question it was only touched on.

Currently I have this setup T-1 WAN (12.12.12.1/27 Subnet) to 3725 Edge router S0/0.1 IP 12.12.12.1. I am performing NAT on the inside stub net to the pix.  The stub has a net id 192.168.254.240/28.  The ins int on the 3725 has ip 192.168.254.254 and the outside int of the pix ethernet0 192.168.254.253.  I use static nat for http, https, smtp, and some others.  2 ports nat to a dmz web and smtp relay server, the rest nat inside to the pix inside interface subnet.  All this double nat causes me much confusing.  i have got it down pretty well except that rdns do not work becuase I must have the smtp and web server going out the global nat ip instead of it's own static.  My ISP originally asked that I assign 12.12.12.1 to the Fa0/0 interface of my router and on the serial T-1 connection use  the following config.  Can I do this and take off nat on the stub and just nat on my pix for my dmz and inside interface and provide myself with some better performance?

interface Serial 0/0
description To UUNET (u133034)
bandwidth 1536
encapsulation frame-relay IETF
frame-relay lmi-type ansi
no ip address
no shutdown
no fair-queue
!
interface Serial 0/0.1 point-to-point
ip unnumbered FastEthernet0/0
frame-relay interface-dlci 500 IETF
bandwidth 1536
no shutdown
!
ip route 0.0.0.0 0.0.0.0 Serial 0/0.1
apscnjohnnieAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

apscnjohnnieAuthor Commented:
This is my current config for the interfaces

no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
ip cef
no ip bootp server
no ip domain lookup
no ftp-server write-enable
!
!
!
!
interface Loopback0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
!
interface Null0
 no ip unreachables
!
interface Serial0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation frame-relay
 ip route-cache flow
!
interface Serial0/0.1 point-to-point
 description $FW_OUTSIDE$Outside to T1 Interface
 ip address 12.12.12.1 255.255.255.224
 ip access-group 105 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
 frame-relay interface-dlci 500 IETF  
!
interface FastEthernet0/1
 description $FW_INSIDE$$ETH-LAN$Stub LAN to PIX515E
 ip address 192.168.254.254 255.255.255.240
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
lrmooreCommented:
>Can I do this and take off nat on the stub and just nat on my pix for my dmz and inside interface and provide myself with some better performance?
Good thinking. Router was designed from ground up to pass packets as fast as it can to the correct interface. Firewall was designed ground up to do things like NAT and packet filtering.

Yes the config will work and is most typical, but you can always ask the telco for a "/30" IP address for your wan interface and be that much more efficient. Something like this:

interface Serial 0/0.1 point-to-point
ip address 153.65.77.2 255.255.255.252

interface fastEthernet0/1
 ip address 12.12.12.1 255.255.255.224

ip route 0.0.0.0 0.0.0.0 153.65.77.1

PIX outside IP - 12.12.12.2
The rest of your 12.12.12.x subnet can be used as static or dynamic NAT xlates right on the pix.
apscnjohnnieAuthor Commented:
lrmoore, thanks for the reply I dug deeper into ip unnumbered and this is Cisco disadvantage list on using ip unnumbered:  "The only real disadvantage that the unnumbered interface suffers from is that it is unavailable for remote testing and management"  Now if I place what used to be my access-group on the s0/0.1 now to the fe0/1 interface I should still be able to utilize my  access-group to monitor and all management only it would be on the inside interface correct?

access-list 105 remark T1 Outside In
access-list 105 remark Permit MCI ICMP
access-list 105 permit icmp host 153.39.50.6 any
access-list 105 permit icmp host 153.39.57.136 any
access-list 105 permit icmp host 153.39.57.196 any
access-list 105 permit icmp host 153.39.129.196 any
access-list 105 permit icmp host 153.39.129.230 any
access-list 105 permit icmp host 153.39.129.30 any
access-list 105 permit icmp host 153.39.201.154 any
access-list 105 permit icmp host 153.39.201.213 any
access-list 105 permit icmp 199.171.54.0 0.0.0.255 any
access-list 105 remark The next IP is the MCI loopback
access-list 105 permit icmp host 137.39.7.198 any
access-list 105 remark Permit Remote Sites ICMP
access-list 105 permit icmp host 13.13.13.1 any
access-list 105 permit icmp host 14.14.14.1 any
access-list 105 deny   icmp any any log
access-list 105 remark T1 outside in
access-list 105 deny   tcp any host 12.12.12.1 eq www log
access-list 105 deny   tcp any host 12.12.12.1 eq 443 log
access-list 105 deny   tcp any host 12.12.12.1 eq cmd log
access-list 105 remark Deny NTP request outside
access-list 105 deny   udp any any eq ntp log
access-list 105 permit ip any any
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

apscnjohnnieAuthor Commented:
ps. I am going to ask for a small routing subnet with a /30 subnet for my serial int
lrmooreCommented:
>it would be on the inside interface correct?
No. It would still be applied where it is - "in" on the serial interface. It will never come "in" to the Ethernet interface, nor will it ever go "out" the Ethernet interface. It doesn't matter where the IP address is, it matters which door you want to block/permit entrance into the router.

Given you existing acl 105, I would suggest re-visiting the effectiveness of this acl. You are denying icmp messages (unreachables and ttl exceeded) that can help improve the efficiency of your network by letting Windows adjust tcp taking Path MTU Discovery into account. You are denying NTP, but I highly suggest using NTP to keep the clock on the router itself correct, and then use the router to be a ntp master for the rest of the network. Other than denying anyone from even trying to access the router itself using web or cmd access, your acl does little else.
Remember, every single line of acl reduces efficiency.
How about something like this, where you specifically permit certain traffic and all else is denied. The "established" line permits all return traffic from inside hosts.

 access-list 105 permit icmp any host <new serial ip> echo  <== nothing dangerous about this
 access-list 105 permit icmp any any unreachable      <== for PMTUD
 access-list 105 permit icmp any any echo-reply        <== for ping replies
 access-list 105 permit icmp any any time-exceeded  <== for traceroute
 access-list 105 permit tcp any any established         <== allow return traffic from outgoing requests
 access-list 105 permit udp any eq 53 any               <== allow DNS name service
 access-list 105 permit tcp host <your ip> host <new serial ip> telnet <== give yourself remote access
 access-list 105 permit tcp host <your ip> host <new serial ip> ssh   <== prefered over telnet
 access-list 105 deny ip any any log                       <== deny everything else and log all attempts

Simply don't enable http server on the router and add a separate access-class/acl to line vty:
 access-list 6 permit <your home ip>
 access-list 6 permit <your assistant's home ip>
 line vty 0 4
  access-class 6 in






Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
apscnjohnnieAuthor Commented:
Thanks a mil, not only did you help me with the ip unnumbered issue but in looking at the acl you have uncovered some performance and effectiveness weaknesses in my router's acl's  I am going to putting into effect your suggestions today.  My ISP has aggreed to giving me the small subnet so all I need to do is follow your lead on your first comment with no need to adjust but just a few items to kick that mode off.  Once again thanks for your assistance.  I wanted an answer fast which is why I offered up 500 (tired of researching and gotta finish up tonight) and you justly deserved that.
lrmooreCommented:
Thanks!
Post a new Q if you run into any problems..
lrmooreCommented:
>$FW_OUTSIDE$
This entry appears to be from SDM GUI interface that comes with security/Firewall features. Do you have the firewall feature set? Do you have the inspect rules set up?
apscnjohnnieAuthor Commented:
It doesn't support SSH it was just suppose to come as a router with no bundles.  Just lot's of memory (128mbyte and a 240mhz processor) don't have any inspect rules.  my config will be in the next opened question.  I'll open up another question subject "Proper ACL config on edge router to improve performance"  
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.