dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
448
krock83
join:2010-03-02

krock83

Member

[Config] Double NAT

Hello All,

Has anyone tried configuring double nat in their experience? I am running into some trouble with websense cloud, they are using the same /16 subnet for their cloud cluster service as we do for our office network. 172.18.0.0/16

I have done some research but everything points me to the ASA's. I am looking to do this on a router level... Any tips would be appreciated...

Thanks
K
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

Got a diagram of what exactly you're trying to do? I'm making a WAG* that what you have is something like :

your network / 172.18.0.0/16 -> your edge router / NAT device -> WAN / internet -> websense cloud / 172.18.0.0/16
 

Do I have it right? Or am I out to lunch?

My 00000010bits

Regards

*Wild Ass Guess
krock83
join:2010-03-02

krock83

Member

OK so here is a diagram and some config that is currently in place:

interface GigabitEthernet0/0.1
 description LAN
 encapsulation dot1Q 1 native
 ip address 172.18.50.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip verify unicast reverse-path
 ip flow ingress
 ip flow egress
 ip pim sparse-mode
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map map-ge0-0
 
interface GigabitEthernet0/1
 ip address dhcp
 ip accounting output-packets
 ip flow ingress
 ip flow egress
 ip nat outside
 no ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map Websense_test
 
ip nat translation tcp-timeout 600
ip nat inside source route-map map-GigabitEthernet0/1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 dhcp
 
route-map map-GigabitEthernet0/1 permit 10
 match ip address internal-ips
 match interface GigabitEthernet0/1
 
ip access-list extended internal-ips
 deny   tcp 172.18.50.0 0.0.0.255 any eq 443
 deny   tcp 172.18.50.0 0.0.0.255 any eq www
 deny   ip 172.16.0.0 0.15.255.255 10.191.4.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.160.241.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.200.72.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.191.5.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.191.124.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.2.24.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.191.35.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.2.178.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.2.100.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255
 deny   ip 172.16.0.0 0.15.255.255 10.60.100.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.10.150.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.170.241.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.30.247.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.50.243.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.1.33.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.1.1.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.1.2.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.1.7.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.1.8.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.1.11.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.1.13.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.1.24.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.1.26.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.1.38.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.1.224.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.153.193.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 10.250.10.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 194.139.170.0 0.0.0.255
 deny   ip 172.16.0.0 0.15.255.255 194.139.177.16 0.0.0.15
 deny   ip 172.16.0.0 0.15.255.255 10.250.0.0 0.0.255.255
 permit ip 172.16.0.0 0.15.255.255 any
 
tired_runner
Premium Member
join:2000-08-25
CT

tired_runner to krock83

Premium Member

to krock83
Maybe put a router between your 2951 and Websense?
aryoba
MVM
join:2002-08-22

2 edits

aryoba to krock83

MVM

to krock83
First of all, it is interesting that Websense cloud services implement RFC 1918 IP addresses to customer-facing servers (which is a bad design)

Moving forward, there will be some kind of Double NAT scenario which you need to setup NAT boundaries between the cloud and your internal network. The idea is the following.

* You NAT the cloud IP schemes before entering your network
* You NAT your network before going out to the cloud
* Depending on network requirements, you may use your Public IP address as the NAT/PAT IP address to reach the cloud
* Setup NAT IP scheme as dedicated subnet for those cloud network (i.e. 192.168.0.0 IP scheme)
* You need a separate box to do the cloud NAT implementation; something like another 2951 router or ASA 5515-X firewall which tired_runner See Profile mentioned.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to krock83

MVM

to krock83
2nd aryoba See Profile entirely... what the fsck is websense doing addressing their stuff with RFC1918 addresses?

You mentioned about an IPSEC tunnel with Websense, do you have the config for that?

My 00000010bits, you could source/destination NAT on each end as aryoba See Profile alluded to.

on your 2951 : ip nat static 172.18.50.V w.x.y.z

on websense's end : ip nat static 172.18.u.v w.x.y.z

but that'd be between you and Websense to agree to and set up the address ranges on both ends.

The Right Way To Do This(TM) is routing and tunneling to a non-RFC1918 address on websense's end and be done with it.
If Websense NATs to the same address range on their end as yours, you shouldn't have to worry about it.

Regards