RE: NAT twice, will this work?

Tue, 17 Oct 2000 15:28:42 -0700 

This should work fine as long as it's all static
translation, since you're coming from nat outside
interface. If you arp from inside the DMZ, only the
firewall should respond since the ARP will be for a
destination of 172.24.100.101. NAT will respond to
ARPs on it's nat ouside interface. The router on the
other is translating a source from 172.24.100.101, so
shouldn't care about an ARP to that address.

Mike

--- Jason Jin <[EMAIL PROTECTED]> wrote:
> 
> I have a situtation that I need to NAT twice, once
> on router, 
> and then again on firewall-1.  I can't figure out
> wheather this 
> will ever work , here 's the our network diagram:
> 
>     
>  WAN                   DMZ        INTERNAL 
> -----| Router |--------|Firwall-1|------|HostA|--
>          
> we are assigned address space 32.x.x.192-32.x.x.207 
> from out ISP( WAN), since our  DMZ is using
> 172.24.100.0/24
> the router is doing static NAT to this range.  our
> internal network
> is 10.10.1.0/24. 
> 
> 
> The IP address as folowes: 
>   
>       Router   = interface on DMZ 172.24.100.3 ( NATed)
>       Firewall-1: interface (qfe0)  on DMZ  
> 172.24.100.2
>                   interface (qfe1)  on internal 10.10.1.2
>                               
> HostA:  since I need to access host A from WAN side,
> 
>       hostA  need to be NAT'ed at two place ,
>       at firewall-1 it NAT from 10.10.1.101 to
> 172.24.100.101
>       at Router it is NAT from 32.x.y.101 to
> 172.24.100.101.
>       
> I have setup the firewall rules , route and arp
> entry on firewall-1 
> for HostA, and address translation work fine for
> hostA, if 
> I connect from DMZ. 
> 
> Now here's my problem: if I want connnect from hostB
> from wan
> side, the packet destined for 32.x.y.101 , the
> destination 
> first NATed to 172.24.100.101 , then pickup by
> firwall-1
> who's listen for arp request, NATed to 10.10.1.101 ?
> 
> will this work? 
> 
> one question : when somebody the DMZ sent out a arp
> request 
> for 172.24.100.101, the firwall-1 will respond , but
>  will router 
> respond too, since it is doing NAT for this address
> as well?
> any help is much appreciated.
> 
> 
> TIA,
> 
> Jason 
> 
> _________________________________
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__________________________________________________
Do You Yahoo!?
Yahoo! Messenger - Talk while you surf!  It's FREE.
http://im.yahoo.com/

_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to