Cisco Router NAT transparency

I have a firewall box that sits between the ‘WAN’ port on a cisco 2811 and the main ISP line in to my building. The topology looks like:




My problem is logging on the UTM. It runs a dns filtering service that filters the network traffic for the site. Between the UTM and Router there is a class C subnet: The utm has and the router has The cisco router has nat configured on it to allow My problem is that when a client visits a blocked page the UTM logs this with the ip of the client. The problem I am having is that the client ip address is always (The ip of the WAN on the router) and not the ip of the actual client.

How can i get the firewall to see the actual client ip? Ive ruled it down to NAT on the router but have no idea on how to configure it. Please could someone explain what I need to do?

You can’t configure NAT that way, your issue is to do with your topology.

That’s the point of NAT. Post-NAT, the outside world (in your example, the firewall from NAT’s perspective running on the 2811) doesn’t see what the originating IP is (*with some exceptions where it is embedded into the protocol, e.g., X-originating-IP email header, FTP control channel, etc.).

I’d swap the router and the firewall around so that it goes:

ISP -> Cisco router -> firewall and do NAT on the firewall. This way the firewall sees the originating IP inside, and has a public IP (or any number of IPs from your /24) on its outside.

Yes your router will be out on the internet, but that’s where they live. You should harden it appropriately (turn off services, etc.).

I have a similar setup to what i describe above. I also have an ACL inbound on the router WAN interface to limit what traffic can get to my firewall. So in effect i am using the router as a bit of a dumb firewall in front of the firewall. It drops OBVIOUSLY bad/undesired traffic before the firewall even sees it, where the firewall can do more detailed inspection, etc.

If you’re running VOIP or something like that on the external router, i’d suggest maybe not doing that (and move VOIP to another router behind your firewall) or make sure to be careful to protect it with ACLs.

You should probably be doing NAT on the firewall (and not the router) anyway; the firewall will likely have more intelligent NAT-fixup code in it to make various NAT-unfriendly protocols work better.

Do you even need the router at all? What job is it doing that your firewall can’t/won’t do for you (e.g., CUBE voip gateway, etc.)? If your answer is “nothing” then just ditch the router entirely, use the firewall to connect direct to the ISP and your LAN(s), and simplify things like that.

Indeed. At $work, I have two firewalls directly on the Internet running eBGP without any intervening routers (we have two 10G links). During a long on site discussion with our Cisco support people, the subject came up and they agreed that unless we’re taking a full BGP feed (we’re not), there was no reason not to use the firewall as a router.

Unless you’re doing some sort of link technology other than ethernet for your WAN, router probably not required for 99% of people.