Double NAT or IP Route NAT Question

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I'm currently putting together the design for a 6 Cisco ASA 5510's operating in a Three Tier Active/Passive Failover.

The client is required to have this as part of there overall IT strategy, what I'm not sure about is whether to use a Double NAT or IP Route NAT as I don't want any dramas in the future if we need to create site to site VPN's.

Double NAT

200.200.200.3 > 192.168.100.250 > 10.50.50.1

IP Route NAT

IP Route 200.200.200.3 255.255.255.240 192.168.100.250 then NAT 10.50.50.1

If anyone has done either before and can let me know the pitfalls of either, that would be appreciated.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I'm no expert but why not implement the easiest to do? because as far as I understand things NAT wont be needed once IPv6 comes into the main and that wont be too long away.

 

I don't think it's as easy as that. NAT plays important part on network security IMHO as well as there is plenty of software that just will not work in pure IPv6 environment (Exchange 2010 for example) that will be around for many years to come.

 

wont there be hot fixes to counter that though?

 

For Exchange? Maybe, maybe not. Maybe MS will try to push new version out to customers.
Still, I can't see IPv4 going any time soon.

 

IPv6 will not be in corporate networks for a long time. To be honest i don't see it being needed AT ALL on the inside of a network the way things are currently.

 

Craigie, that's going to be a nightmare to manage, i don't envy you haha.

Do you have to do it through so many different F/w? We have a similar set up using a HA pair of checkpoints.

 

New version more likely

Maybe, but from what I can see is IPv6 will erradicate IPv4 on all fronts.

To answer Cragies point we do IP routing where I am seems like the best method.

 

Good idea mate, but lots of legacy apps which need ipv4.

 

Our client is a subsiduary of a major UK bank and therefore we have to meet there requirements.

We have installed a few ASAs in HA, but never in a 3 tier system, hence my concerns about NAT.

 

Thanks mate, will give that a whirl and see what happens

 

I seriously doubt IPv4 will be going away anytime soon.

 

^^ This ^^

It's already being used by ISPs, but there's precious little need for ANY SME to EVER use IPv6 in the current situation. It's an absolute PITA to manage compared to IPv4 for one thing. I see a situation developing in the next ten years where the only time you'll ever need it will be at the border of your enterprise connecting to your ISP - internal to external everything will just tunnel through.

 

I personally wouldn't go with a double NAT route... you might end up with a nightmare when network address translation errors arise... If it's for security reason why not use a proxy such as an ISA server?

 

*cough*Forefront Threat Management Gateway*cough*

Only kidding mate. But I agree double NAT is asking for problems.*

* Based on horror stories I've seen on Internet

 

LOL! just did my research and realized that Forefront Threat Management Gateway is the new ISA... I know ISA can become a paint too.. we have it at work, I believe its 2004 version. However everywhere I used it, it worked well for what I needed it to do...