NAT of one IP to another (Static)

Hi - If I have a static NAT say 9.9.9.9 (Outside) to  7.7.7.7 (DMZ) AND the server in the DMZ 7.7.7.7 has a gateway set of 7.7.7.9 - an interface on a ASA firewall.

Now this if for a hypothetical DR situation - we lose the ASA - the 9.9.9.9 is a service provider offering DR -  9.9.9.9 belongs to them.

question is does the server in the dmz 7.7.7.9 "need" to communicate with its gateway (which no longer exists) when it needs to to go of its network - example talk to our "inside" LAN non different subnet?   _ or does static NAT work in the manner that the gateway doesn't matter. Its a static NAT- so "All" comms" will nat to 9.9.9.9 and the service provider will have access lists that allow the traffic to come back inside to our LAN

Sorry could be confusing question - really i need to know if the NAT'd IP still uses the static gateway set on its interface to do any comms to leave its LAN??

thanks
LVL 1
philb19Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Anthony CarterCommented:
If I have a public IP address, say 9.9.9.9, this IP address is ROUTED by my ISP to my edge device, typically a modem of some description (say 9.9.9.1).  This modem then has route to my route (external interface, say 9.9.9.2).

On my router, I set up internal LAN to be 7.7.7.0/24, an internal port with IP 7.7.7.1 and a NAT rule between 9.9.9.9 and 7.7.7.7.

When someone asks for 9.9.9.9 it finds its way to my router.  The router then "converts" (simplification) the 9.9.9.9 to 7.7.7.7 which then uses the 7.7.7.0/24 route to go out the 7.7.7.1 NIC port.  This then hits your network, finds it's way to your server and it responds with an ACK (Acknowledgement).  This ACK returns through the servers GATEWAY address, meaning that it needs to point to 7.7.7.1.  When that ACK arrives back at the router, the router knows that the request came through it by way of NAT and changes back the 7.7.7.7 to 9.9.9.9 and throws it out the external port 9.9.9.2, onto the modem and on its merry way across the internet.  If you need me to explain at a packet layer what is happening, let me know.

So to answer what I think you are asking: The server doesn't know anything about being NAT'd.  It knows that it is being contacted.  It's responses will be sent to any static route defined and, if none, to its "default gateway".  The response MUST go back to the same gateway that it came in as the gateway/router is responsible for tracking packets through NAT.

Hope this didn't confuse the situation.
0
arnoldCommented:
If The ASA goes down unless you have a second one....
......
0
vallegdCommented:
You have to see in the following way.
You driving to a place where you have never been you don't  have the address the only way that you would find that place is by putting the address in your GPS (Route) to your destination (Gateway and/or ISP).

You will need something that will take you "Out" in this way the host needs the gateway to identify the way home (Going in and out, going back and forth)

 Whatever you do look at it that is a chain your ISP gives you its gateway that would be placed in to the default route (route outside 0.0.0.0 0.0.0.0. (ISP GATEWAY) 1 so your interface outside knows how to get access to the Internet.

Likewise, with the DMZ host you need a path (GATEWAY) in your host so the computer knows how to go outside via the gateway which in this case is the IP assigned to the DMZ Interface.


-------------------------------- Redundancy ----------------------------------------
A good solution for the redundancy links would be implementing in the firewalls Active and Standby this powerful configuration would give you the power and ability to whatever happens tomorrow in one firewall the other one would replicate the configuration so nobody in the site or office would notice the change.
The only change they would notice would be if they are connected to the site via VPN; they would be disconnected.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

philb19Author Commented:
Thanks guys this came down to a miscommunication the ISP is providing an Interface which WILL have the IP of the Gateway set on the DMZ hosts (his network diagram did not have this specified -he just said he was going to static NAT their IP to mine- this threw me :)   )- so as i thought of course the dmz host will have to go IN OUT through its gateway - thankyou
0
vallegdCommented:
If you happen to have any questions or comments or in case you need any extra help in the future please do not hesitate to hit me a message!
0
philb19Author Commented:
awesome thanks will do :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
TCP/IP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.