Iptables Behind Cisco NAT

djlightman · 07-28-2003, 03:14 AM

Ok here goes,

I've been combing the web for weeks now and I must say it should look pretty now..

LOL.. seriously I'm trying to get an example of puting iptables behind a cisco NAT. I have a cisco router to NAT my network. Using 5 public ip's I'm taking 2 for direct 1 for 1 nat to an internal ip to a server and 1 for general
workstation traffic, surfing etc.. and the other 2 to be named later
for projects etc..

My problem is that I can't see how to setup the ip tables to get the traffice to route across it...

Here's my concept

INTERNET
| Pub ip's
************
*Cisco 4700 * Running NAT
************ and Basic Access lists
| Priv Ip suggesting 10.255.0.1
|
| Priv Ip Suggesting 10.255.0.2
************
*IPTables FW *
************
|

djlightman · 07-28-2003, 03:16 AM

ADD TO .. clicked submit before I was DONE !!! DOH

Picking it up from the Firewall

********
IPTABLES*
********
|
|
*******
*HUB *
*******
| | |
| | ----- Server 1 10.10.10.6
| ---------- Server 2 10.10.10.7
|
|
LAN
workstations 10.10.10.20-30

djlightman · 07-28-2003, 03:17 AM

The iptables LAN interface is 10.10.10.1

cyph3r7 · 07-28-2003, 03:56 PM

ok taking what you "drew" out before you will need to nat again at the iptables firewall:

INTERNET
| Pub ip's
************
*Cisco 4700 * Running NAT
************ and Basic Access lists
| Priv Ip suggesting 10.255.0.1
|
| Priv Ip Suggesting 10.255.0.2
************
*IPTables FW *
************
|
********
IPTABLES w/ nat
|
|map Priv Ip suggesting 10.255.0.1 to Server 1 10.10.10.6
|map Priv Ip suggesting 10.255.0.2 to Server 1 10.10.10.7
|
********
|
|
*******
*HUB *
*******
| | |
| | ----- Server 1 10.10.10.6
| ---------- Server 2 10.10.10.7
|
|
LAN
workstations 10.10.10.20-30

Now my question for you is do you really need the cisco 4700? I ask because if you throw a few extra nic cards into the firewall itself you could setup a DMZ which is what I assume you want the first 2 priv ip's for. Three nics is all you need, one for wan, one for lan and one for dmz.

djlightman · 07-28-2003, 09:15 PM

Well I'd like to have the 2 levels of defence, and what I was trying to illistrate is just the ip's of the interfaces on the devices. It really doesn't matter to me what the ip's are... all I wanted to illustrate and ask is that is there anyway to set it up like this where the firewall/iptables is just passing stuff through.. My internal lan is all 10.10.10.x workstations and servers.. so what I was trying to do is let the cisco take the basic protection and then do the heavy firewalling at the iptables end just having the traffic pass though.. Is there anyway I can do that with having to NAT it again at the iptables box ? The cisco is doing some other stuff on other interfaces that I don't really want to move and honestly I trust a hardware router more than I do a box running on a hard disk.. just past experiences.. this way if the fw failed I could easily reroute on another interface of the cisco till it was bacup.. Yes it would compermise security but if the tables box is doing nat and everything I have to have a complete second machine there incase it fails.. more overhead..

Basically what I'm asking is can it be done and how? Natting twice just screems issues to me.. so the only other thing that I could do leaving the cisco box in the way is let the traffic pass through it as a "dumb" box right to the iptables/NAT and put the public ip's there. didn't really want to do that.. but is that really the only way ?

Dave

cyph3r7 · 07-29-2003, 07:04 AM

I have never run into problems double natting. Haven't done it your way but I have done it thru 2 layers of firewalls and in some proxy settings.

You dont have to justify why you want to use the cisco box, I was just curious. If you are anything like me you would use it just becuase you could.

djlightman · 07-29-2003, 02:28 PM

hehe.... that's about it

so if I was going to double nat how would you you have any suggestions and or reccomendataions ?