06-05-2012 10:36 AM
Double NAT routing question
I have an odd situation with internal connections to our outside IP’s. My outside device is a special load balancer cluster that answers all real world IP’s. It then forwards via NAT to our SSG520 cluster which on the external interface routes to the internal interface which is set to NAT as well (it was setup like that when I got here). So below is a sample path:
Outside IP to Load Balancer NAT IP to SSG MIB IP sends to Internal IP through trusted Interface.
220.127.116.11 -> (LB) 10.1.1.2 -> (SSGUntrust) MIB 10.5.1.2 -> (SSGTrust) 172.16.1.2
My problem is that the NAT is translating wrong or more likely that packet coming back on the outside IP looks like an attack to the SSG. Without compromising security how can I permit our local network using the external IP’s given the strange NAT path? I feel like I am missing something and was hoping someone else has a post similar they can point me too with a solution.