Double nat...?

Having can someone please advise me how to I go about setting up a double nat.
I have at present setup and running a cisco 877 router and ASA5505 firewall which appears to be going fine, but I need to remote access into my aquarium controller which I can do  providing I just go through the router and not the firewall and one of your colleagues advised me that I need a double nat setup for this.?
Can someone please help me out here is my previous post which should shed some light on the subject.   ID: http://www.experts-exchange.com/Hardware/Networking_Hardware/Q_28246828.html#a39519570

Thanks
Craig WalkerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Aaron TomoskySD-WAN SimplifiedCommented:
Double nat is not a permanent solution, but nice to use in a bind.
Let's say you have a 192.168.0.x network with the router as 192.168.0.1 If you plug a router wan side into it, it will get an ip, say 192.168.0.10
The LAN of that router could be 10.10.10.1
Then you plug another router wan into that. So it's wan is 10.10.10.10 then you can make its LAN back to 192.168.0.1.

This is double nat. The only time I use it is for a dev environment on the same LAN as the production LAN to get out to the Internet you have to stick another router in between.
0
Craig WalkerAuthor Commented:
Hi,

I really only need remote access to my aquarium controller at home which is running on 192.168.1.140 but as you can see from my last my configs on my previous conversation with one of your colleagues both router and firewall have different i.p's and they had suggested that I needed a double nat.
if there is another option that's better than double nat for the purpose I need it for then I would be quite happy to use this but I'm unsure how to go about this as I'm really only just picking up the very basics with cisco cli just now from my previous conversations.
0
smckeown777Commented:
DMZ...never thought of it on the last question but it might work here

If you put your controller in the DMZ on the ASA this should eliminate most of the NAT issues...I'll have to check the correct settings for this so will get back to you in a bit
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Craig WalkerAuthor Commented:
Hi,

Did you manage to get the settings for DMZ yet.?
0
smckeown777Commented:
Apologies...been very busy last few days almost forgot...

Lets see if we can get the nat to work...using DMZ means another subnet so that is a bit of work as well...

Can you post your ASA current config for reference?

Think these lines might allow it to work if you've your existing router working ok already

access-list Controller_In extended permit tcp any interface outside eq XXXX
static (inside,outside) tcp interface XXXX <controller ip> XXXX netmask 255.255.255.255
access-group Controller_In in interface outside

That will open up port XXXX(replace with your port number that the controller runs on)
Also replace <controller ip> with the actual internal ip of your controller
0
Craig WalkerAuthor Commented:
Hi,

Here is my config I haven't added anything yet until you have checked it.

------------------------------
ciscoasa# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.3.5-192.168.3.36 inside
dhcpd dns 208.67.220.220 208.67.222.222 interface inside
dhcpd lease 28800 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4a59b636d1d1035aa74bab777d4dc7fe
: end
0
smckeown777Commented:
Yep, go ahead with the changes I posted y'day to see if things start working...

I assume you had port forwarding working on the router previously? If so you'll need to change the internal IP it was forwarding to so that it is now 192.168.1.2(this is your ASA's external WAN interface at this point)
0
Craig WalkerAuthor Commented:
Yes my aquarium controller works fine if running through the router.
sorry i'm a little confused in when I do an ipconfig my gateway is now 192.168.3.1
when running through the firewall does this mean I will have to change my static i.p. on my aquarium controller from 192.168.1.140 to 192.168.3.140 ?
As my router is setup with a gateway of 192.168.1.1.
0
smckeown777Commented:
Ok let me confirm a few things...

Cisco router - 192.168.1.1 - yes?

Your ASA's outside interface is 192.168.1.2 - this is what we need to NAT to from the outside

Right now what ip is your controller? Is it not 192.168.3.140?
0
Craig WalkerAuthor Commented:
cisco router is on 192.168.1.1

which is connected to firewall port 0 (outside port)

my controller is on 192.168.1.140 (static) but I can change this if needed.
0
smckeown777Commented:
Ok, but your laptop/pc's are on 192.168.3.x network yes?

From there can you access the controller on 192.168.1.140?

Cause if so then you don't need nat on the ASA at all...the existing rules should work as is...unless I've missed something
0
Craig WalkerAuthor Commented:
my laptop is on 192.168.3.12 just now but no I can't access my controller or ping it, surely I would have to change it's i.p. onto the same gateway first.?
I can only use it if I bypass the firewall and connect my switch directly to the router.
0
smckeown777Commented:
Ok, which means your controller should still be accessible from external through the router as is...

Yes...you need to move it to the 192.168.3.140 ip - then the nat rules should work once we get that working

But...in fairness you should be able to access it as is...since the asa has a route to the 192.168.1.x network...ah, maybe the router doesn't have a route to the asa...might make a difference

Ok, lots of ways to make this work so want to check something - post your router's config as we might be able to leave the controller connected to it and thus the port forwarding on the router will continue to work as is and no need for the double-nat...
0
Craig WalkerAuthor Commented:
router config
-------------------------------

Building configuration...

Current configuration : 4821 bytes
!
! Last configuration change at 23:03:05 UTC Tue Sep 24 2013
! NVRAM config last updated at 23:05:32 UTC Tue Sep 24 2013
! NVRAM config last updated at 23:05:32 UTC Tue Sep 24 2013
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot config flash:usbflash0
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3233774123
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3233774123
 revocation-check none
 rsakeypair TP-self-signed-3233774123
!
!
crypto pki certificate chain TP-self-signed-3233774123
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33323333 37373431 3233301E 170D3133 30393137 31333338
  30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32333337
  37343132 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B254 C04208D2 ABF68D18 5B77C54E 7AE24FE2 6493A65E 3D67BDFA AC05CAAD
  2209BE2E DC621CE2 5682517E 3CA06F61 0C0FC713 2C0F84D8 FEBBF5CC 81A6EF17
  B768E110 C5FC6FB2 2750875C 7203BC16 39335314 CCF32034 5E042C2C 15F03FF1
  1BDF97A0 DBA757F9 42783E39 6AF59906 ACA416B4 3EC1E4D5 C935799B 9167D1FC
  AB850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 1403A635 385A6809 603E2C4A FF6F439B 6995E393 A2301D06
  03551D0E 04160414 03A63538 5A680960 3E2C4AFF 6F439B69 95E393A2 300D0609
  2A864886 F70D0101 05050003 81810073 3157A85E 120A5B1D 6C25453C 0DFB0F82
  9156EFF7 64E1A26B 4675C488 EF291E25 6C6C25CB 8CA95AB1 1FF6C2EB C12636D7
  50E2B83C A87225B3 87AC7CE1 679B1801 49E4B859 4BED67E2 6783EFB6 A50CC616
  C32228AD 625331FD 85361CEC 11E196E9 26D9638E 98D3235A 9D425AE8 1F06FEE0
  D332ED58 E0504C61 03F8939E 1EEF55
        quit
ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool VLAN10
 import all
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 domain-name cannonz.dyndns.org
 dns-server 208.67.220.220
 lease 4
!
ip dhcp pool VLAN20
 import all
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.1
 domain-name cannonz.dyndns.org
 lease 4
!
!
ip cef
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn FCZ160592RB
!
!
username sysop privilege 15 password 7 08254E455D4C5D14
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
interface Ethernet0
 no ip address
 shutdown
 no fair-queue
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 switchport access vlan 20
 no ip address
 spanning-tree portfast
!
interface FastEthernet1
 switchport access vlan 10
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 switchport access vlan 10
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 no ip address
!
interface Vlan10
 description Internal Network
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan20
 description Guest Network
 ip address 192.168.2.1 255.255.255.0
!
interface Dialer0
 ip address negotiated
 ip access-group Internet-inbound-ACL in
 ip nat outside
 ip inspect MYFW out
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname bthomehub@btbroadband.com
 ppp chap password 0 bthomehub@btbroadband.com
 ppp ipcp dns request
 ppp ipcp address accept
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.140 80 interface Dialer0 80
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended Guest-ACL
 deny   ip any 192.168.1.0 0.0.0.255
 permit ip any any
ip access-list extended Internet-inbound-ACL
 permit udp any eq bootps any eq bootpc
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit gre any any
 permit esp any any
 permit tcp any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
 password 7 09484C024D504F11
line aux 0
line vty 0 4
 password 7 070B23471A5C4106
 login
 transport input all
!
end
0
smckeown777Commented:
Cool, lets try this

On router add this line

conf t
ip route 192.168.3.0 255.255.255.0 192.168.1.2

Then from your laptop see if you can access/ping the controller
0
Craig WalkerAuthor Commented:
done that but still nothing can't see it.
I have tried to ping anything on 192.168.1.xxx but don't get any reply
I have issued a wri command will I have to do a reload as well?
0
smckeown777Commented:
No...no need for a reload

Can you try this command from laptop

tracert 192.168.1.140

What is returned?

Then from the ASA itself

trace 192.168.1.140
0
Craig WalkerAuthor Commented:
on laptop i'm just getting request timed out

firewall is pretty much the same:-

-------------------------------
Tracing the route to 192.168.1.140

 1   *  *  *
 2   *  *  *
 3   *  *  *
 4   *  *  *
 5   *  *  *
 6   *  *  *
 7   *  *  *
 8   *  *  *
 9   *  *  *
 10  *  *  *
 11  *
0
smckeown777Commented:
Right...lets go back to the nat way...

Move the controller to the asa, set ip as 192.168.3.140

Then issue those commands on the asa like so

access-list Controller_In extended permit tcp any interface outside eq 80
static (inside,outside) tcp interface 80 192.168.3.140 80 netmask 255.255.255.255
access-group Controller_In in interface outside

On router issue these commands...

no ip nat inside source static tcp 192.168.1.140 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.2 80 interface Dialer0 80

Hopefully that will sort things...if not I'll be back tomorrow as late over here ;)
0
Craig WalkerAuthor Commented:
Nice one done that today and changed all static ip's and seems to be working fine.
So regarding saving this information I do a wri mem on both the router and firewall then I do a copy running-config startup-config on both as well.?
0
smckeown777Commented:
Copy run start should work fine on both...its the same as wri mem...

Glad its finally working...lot of work ;)
0
Craig WalkerAuthor Commented:
Excellent done that is there a command that I can use to copy these configs to a usb memory pen.?
0
smckeown777Commented:
Not really...you need to copy them to a TFTP server if you want to do this properly...

Ask a new question for that and you'll get assistance...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Craig WalkerAuthor Commented:
Excellent ok no problem thanks for your help again.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.