RE: NAT twice, will this work?
I have used a very similar config. In our case, we requested an additional serial(/30) subnet from our ISP. We used that between the WAN router and the Firewall-1. Then the firewall is the only thing translating. Francis Arigo >From: Jason Jin <[EMAIL PROTECTED]> >Reply-To: Jason Jin <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: RE: NAT twice, will this work? >Date: Tue, 17 Oct 2000 12:10:31 -0400 > > >I have a situtation that I need to NAT twice, once on router, >and then again on firewall-1. I can't figure out wheather this >will ever work , here 's the our network diagram: > > > WAN DMZINTERNAL >-| Router ||Firwall-1|--|HostA|-- > >we are assigned address space 32.x.x.192-32.x.x.207 >from out ISP( WAN), since our DMZ is using 172.24.100.0/24 >the router is doing static NAT to this range. our internal network >is 10.10.1.0/24. > > >The IP address as folowes: > > Router = interface on DMZ 172.24.100.3 ( NATed) > Firewall-1: interface (qfe0) on DMZ 172.24.100.2 > interface (qfe1) on internal 10.10.1.2 > >HostA: since I need to access host A from WAN side, > hostA need to be NAT'ed at two place , > at firewall-1 it NAT from 10.10.1.101 to 172.24.100.101 > at Router it is NAT from 32.x.y.101 to 172.24.100.101. > >I have setup the firewall rules , route and arp entry on firewall-1 >for HostA, and address translation work fine for hostA, if >I connect from DMZ. > >Now here's my problem: if I want connnect from hostB from wan >side, the packet destined for 32.x.y.101 , the destination >first NATed to 172.24.100.101 , then pickup by firwall-1 >who's listen for arp request, NATed to 10.10.1.101 ? >will this work? > >one question : when somebody the DMZ sent out a arp request >for 172.24.100.101, the firwall-1 will respond , but will router >respond too, since it is doing NAT for this address as well? >any help is much appreciated. > > >TIA, > >Jason > >_ >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NAT twice, will this work?
This should work fine as long as it's all static translation, since you're coming from nat outside interface. If you arp from inside the DMZ, only the firewall should respond since the ARP will be for a destination of 172.24.100.101. NAT will respond to ARPs on it's nat ouside interface. The router on the other is translating a source from 172.24.100.101, so shouldn't care about an ARP to that address. Mike --- Jason Jin <[EMAIL PROTECTED]> wrote: > > I have a situtation that I need to NAT twice, once > on router, > and then again on firewall-1. I can't figure out > wheather this > will ever work , here 's the our network diagram: > > > WAN DMZINTERNAL > -| Router ||Firwall-1|--|HostA|-- > > we are assigned address space 32.x.x.192-32.x.x.207 > from out ISP( WAN), since our DMZ is using > 172.24.100.0/24 > the router is doing static NAT to this range. our > internal network > is 10.10.1.0/24. > > > The IP address as folowes: > > Router = interface on DMZ 172.24.100.3 ( NATed) > Firewall-1: interface (qfe0) on DMZ > 172.24.100.2 > interface (qfe1) on internal 10.10.1.2 > > HostA: since I need to access host A from WAN side, > > hostA need to be NAT'ed at two place , > at firewall-1 it NAT from 10.10.1.101 to > 172.24.100.101 > at Router it is NAT from 32.x.y.101 to > 172.24.100.101. > > I have setup the firewall rules , route and arp > entry on firewall-1 > for HostA, and address translation work fine for > hostA, if > I connect from DMZ. > > Now here's my problem: if I want connnect from hostB > from wan > side, the packet destined for 32.x.y.101 , the > destination > first NATed to 172.24.100.101 , then pickup by > firwall-1 > who's listen for arp request, NATed to 10.10.1.101 ? > > will this work? > > one question : when somebody the DMZ sent out a arp > request > for 172.24.100.101, the firwall-1 will respond , but > will router > respond too, since it is doing NAT for this address > as well? > any help is much appreciated. > > > TIA, > > Jason > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Messenger - Talk while you surf! It's FREE. http://im.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NAT twice, will this work?
jason, had used a similar setup (had to use nat three times) with cisco routers with success. The router does proxy arp in my case. Cannot comment about the sun/firewall1 stuff ... hth Reinhold -- Reinhold Fischer [EMAIL PROTECTED] CCNP/SunCSA/HP Certified Consultant for Network Management On Tue, 17 Oct 2000, Jason Jin wrote: > > I have a situtation that I need to NAT twice, once on router, > and then again on firewall-1. I can't figure out wheather this > will ever work , here 's the our network diagram: > > > WAN DMZINTERNAL > -| Router ||Firwall-1|--|HostA|-- > > we are assigned address space 32.x.x.192-32.x.x.207 > >from out ISP( WAN), since our DMZ is using 172.24.100.0/24 > the router is doing static NAT to this range. our internal network > is 10.10.1.0/24. > > > The IP address as folowes: > > Router = interface on DMZ 172.24.100.3 ( NATed) > Firewall-1: interface (qfe0) on DMZ 172.24.100.2 > interface (qfe1) on internal 10.10.1.2 > > HostA: since I need to access host A from WAN side, > hostA need to be NAT'ed at two place , > at firewall-1 it NAT from 10.10.1.101 to 172.24.100.101 > at Router it is NAT from 32.x.y.101 to 172.24.100.101. > > I have setup the firewall rules , route and arp entry on firewall-1 > for HostA, and address translation work fine for hostA, if > I connect from DMZ. > > Now here's my problem: if I want connnect from hostB from wan > side, the packet destined for 32.x.y.101 , the destination > first NATed to 172.24.100.101 , then pickup by firwall-1 > who's listen for arp request, NATed to 10.10.1.101 ? > will this work? > > one question : when somebody the DMZ sent out a arp request > for 172.24.100.101, the firwall-1 will respond , but will router > respond too, since it is doing NAT for this address as well? > any help is much appreciated. > > > TIA, > > Jason _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NAT twice, will this work?
I have a situtation that I need to NAT twice, once on router, and then again on firewall-1. I can't figure out wheather this will ever work , here 's the our network diagram: WAN DMZ INTERNAL -| Router ||Firwall-1|--|HostA|-- we are assigned address space 32.x.x.192-32.x.x.207 from out ISP( WAN), since our DMZ is using 172.24.100.0/24 the router is doing static NAT to this range. our internal network is 10.10.1.0/24. The IP address as folowes: Router = interface on DMZ 172.24.100.3 ( NATed) Firewall-1: interface (qfe0) on DMZ 172.24.100.2 interface (qfe1) on internal 10.10.1.2 HostA: since I need to access host A from WAN side, hostA need to be NAT'ed at two place , at firewall-1 it NAT from 10.10.1.101 to 172.24.100.101 at Router it is NAT from 32.x.y.101 to 172.24.100.101. I have setup the firewall rules , route and arp entry on firewall-1 for HostA, and address translation work fine for hostA, if I connect from DMZ. Now here's my problem: if I want connnect from hostB from wan side, the packet destined for 32.x.y.101 , the destination first NATed to 172.24.100.101 , then pickup by firwall-1 who's listen for arp request, NATed to 10.10.1.101 ? will this work? one question : when somebody the DMZ sent out a arp request for 172.24.100.101, the firwall-1 will respond , but will router respond too, since it is doing NAT for this address as well? any help is much appreciated. TIA, Jason _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]