Link to home
Start Free TrialLog in
Avatar of apscnjohnnie
apscnjohnnieFlag for United States of America

asked on

Removing Double NAT (Router-Stub-PIX) using Only PIX to NAT

I have been searching through these archives for about a week and someone has come close to answering my question in one of the posts but since it was not the same question it was only touched on.

Currently I have this setup T-1 WAN (12.12.12.1/27 Subnet) to 3725 Edge router S0/0.1 IP 12.12.12.1. I am performing NAT on the inside stub net to the pix.  The stub has a net id 192.168.254.240/28.  The ins int on the 3725 has ip 192.168.254.254 and the outside int of the pix ethernet0 192.168.254.253.  I use static nat for http, https, smtp, and some others.  2 ports nat to a dmz web and smtp relay server, the rest nat inside to the pix inside interface subnet.  All this double nat causes me much confusing.  i have got it down pretty well except that rdns do not work becuase I must have the smtp and web server going out the global nat ip instead of it's own static.  My ISP originally asked that I assign 12.12.12.1 to the Fa0/0 interface of my router and on the serial T-1 connection use  the following config.  Can I do this and take off nat on the stub and just nat on my pix for my dmz and inside interface and provide myself with some better performance?

interface Serial 0/0
description To UUNET (u133034)
bandwidth 1536
encapsulation frame-relay IETF
frame-relay lmi-type ansi
no ip address
no shutdown
no fair-queue
!
interface Serial 0/0.1 point-to-point
ip unnumbered FastEthernet0/0
frame-relay interface-dlci 500 IETF
bandwidth 1536
no shutdown
!
ip route 0.0.0.0 0.0.0.0 Serial 0/0.1
Avatar of apscnjohnnie
apscnjohnnie
Flag of United States of America image

ASKER

This is my current config for the interfaces

no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
ip cef
no ip bootp server
no ip domain lookup
no ftp-server write-enable
!
!
!
!
interface Loopback0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
!
interface Null0
 no ip unreachables
!
interface Serial0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation frame-relay
 ip route-cache flow
!
interface Serial0/0.1 point-to-point
 description $FW_OUTSIDE$Outside to T1 Interface
 ip address 12.12.12.1 255.255.255.224
 ip access-group 105 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
 frame-relay interface-dlci 500 IETF  
!
interface FastEthernet0/1
 description $FW_INSIDE$$ETH-LAN$Stub LAN to PIX515E
 ip address 192.168.254.254 255.255.255.240
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
Avatar of Les Moore
>Can I do this and take off nat on the stub and just nat on my pix for my dmz and inside interface and provide myself with some better performance?
Good thinking. Router was designed from ground up to pass packets as fast as it can to the correct interface. Firewall was designed ground up to do things like NAT and packet filtering.

Yes the config will work and is most typical, but you can always ask the telco for a "/30" IP address for your wan interface and be that much more efficient. Something like this:

interface Serial 0/0.1 point-to-point
ip address 153.65.77.2 255.255.255.252

interface fastEthernet0/1
 ip address 12.12.12.1 255.255.255.224

ip route 0.0.0.0 0.0.0.0 153.65.77.1

PIX outside IP - 12.12.12.2
The rest of your 12.12.12.x subnet can be used as static or dynamic NAT xlates right on the pix.
lrmoore, thanks for the reply I dug deeper into ip unnumbered and this is Cisco disadvantage list on using ip unnumbered:  "The only real disadvantage that the unnumbered interface suffers from is that it is unavailable for remote testing and management"  Now if I place what used to be my access-group on the s0/0.1 now to the fe0/1 interface I should still be able to utilize my  access-group to monitor and all management only it would be on the inside interface correct?

access-list 105 remark T1 Outside In
access-list 105 remark Permit MCI ICMP
access-list 105 permit icmp host 153.39.50.6 any
access-list 105 permit icmp host 153.39.57.136 any
access-list 105 permit icmp host 153.39.57.196 any
access-list 105 permit icmp host 153.39.129.196 any
access-list 105 permit icmp host 153.39.129.230 any
access-list 105 permit icmp host 153.39.129.30 any
access-list 105 permit icmp host 153.39.201.154 any
access-list 105 permit icmp host 153.39.201.213 any
access-list 105 permit icmp 199.171.54.0 0.0.0.255 any
access-list 105 remark The next IP is the MCI loopback
access-list 105 permit icmp host 137.39.7.198 any
access-list 105 remark Permit Remote Sites ICMP
access-list 105 permit icmp host 13.13.13.1 any
access-list 105 permit icmp host 14.14.14.1 any
access-list 105 deny   icmp any any log
access-list 105 remark T1 outside in
access-list 105 deny   tcp any host 12.12.12.1 eq www log
access-list 105 deny   tcp any host 12.12.12.1 eq 443 log
access-list 105 deny   tcp any host 12.12.12.1 eq cmd log
access-list 105 remark Deny NTP request outside
access-list 105 deny   udp any any eq ntp log
access-list 105 permit ip any any
ps. I am going to ask for a small routing subnet with a /30 subnet for my serial int
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks a mil, not only did you help me with the ip unnumbered issue but in looking at the acl you have uncovered some performance and effectiveness weaknesses in my router's acl's  I am going to putting into effect your suggestions today.  My ISP has aggreed to giving me the small subnet so all I need to do is follow your lead on your first comment with no need to adjust but just a few items to kick that mode off.  Once again thanks for your assistance.  I wanted an answer fast which is why I offered up 500 (tired of researching and gotta finish up tonight) and you justly deserved that.
Thanks!
Post a new Q if you run into any problems..
>$FW_OUTSIDE$
This entry appears to be from SDM GUI interface that comes with security/Firewall features. Do you have the firewall feature set? Do you have the inspect rules set up?
It doesn't support SSH it was just suppose to come as a router with no bundles.  Just lot's of memory (128mbyte and a 240mhz processor) don't have any inspect rules.  my config will be in the next opened question.  I'll open up another question subject "Proper ACL config on edge router to improve performance"