Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NATing a NAT

Status
Not open for further replies.
spudnuts

spudnuts

Technical User
Sep 30, 2002
123
US
I'm going to try to explain my situation and hoping that it's not too confusing.

I work with 2 networks, a enterprise intranet and then we also have a local intranet. Both networks do have a trust between each other so users on the enterprise intranet can reachback to the local intranet through a boundary.

One of my users are on the enterprise intranet and they are trying to reach a web server that is here geographically but not in our local intranet. They are able to reach the server but the latancy is so bad that it's unproductive and engineering has determined that the problem is within the cloud.

So.....

The suggestion was to allow this user to use the boundary and travel though our local intranet back out into the cloud locally eliminating most of the hops to the server they are trying to reach.

There is a NAT in the boundary and another NAT at the firewall for the local intranet. Here's what i've done so far:

I created a NAT entry in the broundary for the user from the enterprise to an private address in the local intranet.
I created an inside, outside and NAT entry in the local firewall to a public IP going out of the local intranet.
I created also a static route from this public address directly to the server they are trying to reach.

Now, after some testing, I had an engineer that supports this server to watch out for me as I try to hit the server. From the local intranet I am seen but from the enterprise I am not.

Question, what am I missing? Do I need to setup a subinterface on the local intranet catalyst 5500 with the private address on it to get the packets to move from the interprise, through the local, and out to the server? I'm alittle brain burned on this one and could use alittle help.

Thanks in advance.

Information Assurance,CCNP,CST
 
Sort by date Sort by votes
Holy crap...I myself work better with topologies and IP addresses---like a to b to c, a=x.x.x.x, b=y.y.y.y, c=z.z.z.z, NAT=a to c entry, and c back to b NAT entry...wthell??? Can you draw this out? What kind of cloud---DSL to the internet, frame, ???

Burt
 
Upvote 0 Downvote
Yes, I'm confused too... What kind of firewall do you have sitting there? Generally, if you are going from one NATed are to another across a PIX(s), I put in a NAT 0 command in the PIX so that I avoid all the translations.
 
Upvote 0 Downvote
I can't really get into it but lets just say that I can't use the same public IP that everyone else uses. The server that this person is trying to hit requires that the user have their own static IP.

The firewalls in the local intranet are PIX 501's and I do have the entry "nat (inside) 1 0.0.0.0 0.0.0.0 0 0" but due to restrictions I have to translate this customer from the enterprise intranet to the local intranet and then to a public IP out of the public intranet so that the path is specific to this user. Hope that makes sense.

I'm actually natting a to b, then letting b transverse the local intranet, then nat b to c to the cloud. The problem is once I nat to b, b isn't transversing the local intranet and i'm not sure why.

The cloud is not the problem here so it doesn't matter what's in it. The cloud is the reason we are going this way because there are too many hops in the cloud if they go straight out the enterprise to the cloud and to the server. The latency is way to high. I know that is an ISP issue but that's not the task given to me. My task was to see if I can get packets through my local to this server to reduce the hops and therefor reduce the latency.

I wish I could put up a drawing but don't actually have one.

Information Assurance,CCNP,CST
 
Upvote 0 Downvote
Let me see if I can draw it in words.

Currently

The customer goes from their workstation in the enterprise, across the country to the outter boundary where they are natted to a public IP, into the cloud back to this city where the server is (But it's not in our network, it in someone elses network but in the same city). Pages seem to being timing out alot and after sniffing, it's been determined that this problem is somewhere in the cloud and not in our enterprise network.

There is another boundary locally, this one allows users in the enterprise network to go directly to some of the servers that are in our local intranet without having to traverse the enterprise and the cloud (also called reachback). This local intranet also has a boundary to the cloud.

They want to have the user, instead of going through the enterprise, to the cloud, to the server, to go reachback, though the local intranet, to the cloud, to the server. Since the local intranet is here and only a couple hops away from the other network, it is assumed that alot of hops would be illiminated.

Is that alittle clearer?

Information Assurance,CCNP,CST
 
Upvote 0 Downvote
Eliminating hops certainly makes sense...but you are saying that the server that users are trying to connect to requires a static ip...that's the strange part...what about something like MAC address? To me, it almost seems like solving the latency issues in the cloud would be easier. Wouldn't an IDS system somewhere along the way look at the multiple NAT as an IP spoof attack? What kind of cloud are you talking about? What's the problem with putting the server in the local intranet in the first place, and just putting ACL entries in the PIX at the intranet? Wouldn't that solve the problem? Do you use BGP at any of the edge routers, like in the enterprise intranet and your local intranet?

Burt
 
Upvote 0 Downvote
1. The reason a static IP is needed is because the server is not ours, it's controlled by someone else. They are restricting access to it, to get through their FW, they need a static IP for the permit statement.

2. What multiple NAT? The FW at the distant end is only going to see one and that's the one that is going to be permitted.

3. The cloud is the cloud, the internet. Our outbound is going to our ISP and how ever they get it there is the cloud. I agree that this is an ISP issue and that is what I brought up to those that did the sniffing and determined that the cloud just has too many hops.

4. The server is not ours, we cannot move a server that isn't ours into our local network. Lets say (for instance) that is belongs to another company and services more than just us.

The problem isn't getting from our local intranet to the server, that has been tested by myself and works fine. The problem is getting the packets from the enterprise and into the local though the reachback and then have them forwarded. For some reason they are not being forwarded.

Information Assurance,CCNP,CST
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jarod_paris
  • Locked
  • Question
firmware for an AP2800 WiFi terminal
Replies
0
Views
149
jarod_paris
jarod_paris
Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
124
Zero6
Zero6
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
155
BIS
BIS
inlsp05
  • Locked
  • Question
2811&2960 48 volts wiring diagram
Replies
1
Views
132
BOKA
BOKA
NavinNet
  • Locked
  • Question
Why 2 different mac addresses of a server are being shown of CISCO 6509E Layer-3 Switch ?
Replies
0
Views
71
NavinNet
NavinNet

Part and Inventory Search

Sponsor

Back
Top