I have used a very similar config. In our case, we requested an additional
serial(/30) subnet from our ISP. We used that between the WAN router and the
Firewall-1. Then the firewall is the only thing translating.
Francis Arigo
>From: Jason Jin <[EMAIL PROTECTED]>
>Reply-To: Jason Jin <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: RE: NAT twice, will this work?
>Date: Tue, 17 Oct 2000 12:10:31 -0400
>
>
>I have a situtation that I need to NAT twice, once on router,
>and then again on firewall-1. I can't figure out wheather this
>will ever work , here 's the our network diagram:
>
>
> WAN DMZ INTERNAL
>-----| Router |--------|Firwall-1|------|HostA|--
>
>we are assigned address space 32.x.x.192-32.x.x.207
>from out ISP( WAN), since our DMZ is using 172.24.100.0/24
>the router is doing static NAT to this range. our internal network
>is 10.10.1.0/24.
>
>
>The IP address as folowes:
>
> Router = interface on DMZ 172.24.100.3 ( NATed)
> Firewall-1: interface (qfe0) on DMZ 172.24.100.2
> interface (qfe1) on internal 10.10.1.2
>
>HostA: since I need to access host A from WAN side,
> hostA need to be NAT'ed at two place ,
> at firewall-1 it NAT from 10.10.1.101 to 172.24.100.101
> at Router it is NAT from 32.x.y.101 to 172.24.100.101.
>
>I have setup the firewall rules , route and arp entry on firewall-1
>for HostA, and address translation work fine for hostA, if
>I connect from DMZ.
>
>Now here's my problem: if I want connnect from hostB from wan
>side, the packet destined for 32.x.y.101 , the destination
>first NATed to 172.24.100.101 , then pickup by firwall-1
>who's listen for arp request, NATed to 10.10.1.101 ?
>will this work?
>
>one question : when somebody the DMZ sent out a arp request
>for 172.24.100.101, the firwall-1 will respond , but will router
>respond too, since it is doing NAT for this address as well?
>any help is much appreciated.
>
>
>TIA,
>
>Jason
>
>_________________________________
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
http://profiles.msn.com.
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]