Hey Networkers, I found myself in a interesting scenario where that annoying concept of double NAT haunted me yet again…
Best practice is to never use double NAT long term. Its been known to break certain applications and things like VPNs may not work properly. However, because this seems to be a big practice with SMBs, I wanted to mention it to you guys.
Chances are, if you’ve never been in a SMB you’ve probably never had to deal with Double NAT. Most enterprise companies dont have to worry about double NAT because they have the tools and hardware that you wouldnt even be in this situation in the first place. However, if you’ve ever seen something you buy from BestBuy in your network (I’m lookin at you D-Link/Linksys/Netgear), Double NAT may not be too far off.
For example, take the above topology. We got on the left a Linksys ea6900 wireless router, in the middle a Small business Cisco 877 router all connecting to a providers cable modem.
Now the keyword here is Linksys ROUTER. By design these guys WANT to NAT. They WANT to take your inside traffic and NAT it to the outside work. If you dont do this, they get very upset and stop working properly.
Problem is, our Cisco router also can do NAT. The provider is giving the static IP to the cisco router, not the Linksys. How can we get this working? Enter the short term band-aid called Double NAT
If you dont have a Linksys router to play with, see the above link for a Sandbox demo of it.
Now lets first configure the Linksys. Go to the CONNECTIVITY tab, then go to the INTERNET SETTINGS tab. Here assign a static IP to the AP.This IP will be used to NAT to the “cisco world”, which in turn will get NATed again on the cisco router off to the provider. Let’s say for us we will use 192.168.2.1/24. Next, go to LOCAL NETWORK and this will be the network subnet that the “inside” users will get and get assigned IPs via the DHCP server here on this page. By default here its a 192.168.1.100-150 range. And thats it!
Now for the Cisco config, enter the config you normally do except enter the right ACL commands to catch the 192.168.2.x/24 network and use the appropriate NAT statements to translate this out the “inside” interface (pointing to the Linksys) and the outside interface (pointing to the modem. Email me if you need more specifics.
Now if all goes well, your Linksys router will pass traffic like so…
192.168.1.1 > NATed to 192.168.2.1 > gets to the Cisco router > Cisco Router NATs again the traffic from 192.168.2.1 to whatever the public IP is.
At the end of the day, Double NAT is only a short term band-aid that shouldnt be kept long term. I hated everytime I had to implement it and as I mentioned generally only shows up in SMBs.