Mailing List Archive: Yet Another Nat Question

Yet Another Nat Question

Dec 9, 2004, 6:01 AM

Post #1 of 3 (902 views)

Hi Everyone,

I haven?t quite figured out the benefits of using NAT but I am sure someone can tell me? ?

On one VLAN of the Serveriron I have all the public IP VIP addresses, on the other VLAN I have an internal 10.x block. I have set-up inside nat for one of my servers and outbound connections will appear from the public IP that I have specified. Great!!

Now, how would I configure a static mapping for the public IP addresses for incoming requests? For example. I have a VIP address that I use for Port 80 and that works fine, however, if I want to be able to admin the server via SSH, I would need to create a static mapping for incoming requests, kind of like the PIX static commands

Is this possible using the Serveriron? Would I need to create a virtual server with the same IP address that I use for the inside static nat?

Any ideas would be appreciated.

Thanks
Tim.

Yet Another Nat Question [ In reply to ]

gerlof.dijk at hccnet

Dec 9, 2004, 7:29 AM

Post #2 of 3 (885 views)

Permalink

Why not admin your systemen on the private addresses? A bit more secure
because you don't expose you systems to the outside world:-)

But it is possible to bind SSH to a VIP. It is even possible to admin all
your systemen with 1 vip address and different tcp ports (and using port
translations) witch has the benefit that you secure this single VIP with a
ACL.

And you can use your static nat solution. But again, static nat is
bidirectional (makes no diffecrence if you use "static nat inside" or
"static nat outside"). When you use static Nat to do source nat it is also
possible to connect to the NAT address (directly connecting to your internal
server) . Thats why Nat pools are more secure.

greetings

-----Oorspronkelijk bericht-----
Van: foundry-nsp-bounces@puck.nether.net
[mailto:foundry-nsp-bounces@puck.nether.net] Namens Timothy Arnold
Verzonden: donderdag 9 december 2004 12:02
Aan: foundry-nsp@puck.nether.net
Onderwerp: [f-nsp] Yet Another Nat Question

Hi Everyone,

I haven't quite figured out the benefits of using NAT but I am sure someone
can tell me. ?

On one VLAN of the Serveriron I have all the public IP VIP addresses, on the
other VLAN I have an internal 10.x block. I have set-up inside nat for one
of my servers and outbound connections will appear from the public IP that I
have specified. Great!!

Now, how would I configure a static mapping for the public IP addresses for
incoming requests? For example. I have a VIP address that I use for Port 80
and that works fine, however, if I want to be able to admin the server via
SSH, I would need to create a static mapping for incoming requests, kind of
like the PIX static commands

Is this possible using the Serveriron? Would I need to create a virtual
server with the same IP address that I use for the inside static nat?

Any ideas would be appreciated.

Thanks
Tim.

_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp

Yet Another Nat Question [ In reply to ]

tim at uksolutions

Dec 9, 2004, 8:23 AM

Post #3 of 3 (895 views)

Permalink

Hi,

On Thu, 2004-12-09 at 13:28 +0100, Gerlof.Dijk wrote:
> Why not admin your systemen on the private addresses? A bit more secure
> because you don't expose you systems to the outside world:-)
>

That is an idea. Another example is that I might want to run services
that should not be load balanced but sit behind the Serveriron.

I am unsure how this will turn out with your email client but here goes:

client - 158.152.1.43 - a host on the internet
|
|
|
|
Firewall - 195.1.1.1/24
|
|
|
|
| 195.1.1.2/24
|---------------|
| Serveriron |
|---------------|
| |
Vlan17 | | vlan18
10.0.17.0/24| | 10.0.18.0/24
| |
| |
Server1 Server2

At present I don't use VE interfaces, just source-ip with subnet's for
each VLAN.

Having a VIP IP address from the 195.1.1.0/24 range, I can successfully
load balance between the two servers. But what happens if I want to use
'server1' for a custom application without having to load balance but
still use a VIP address from the range?

Currently, when I use ip nat inside static, when the server initiates
outbound requests - to the Internet, it uses the correct real IP address
but when I try to SSH back to that IP address it doesn't work. Ping
however does but the Serveriron does the reply and the ICMP packets are
not being seen by Server1.

Inside server1 to external site

server1 IP -> Public IP -> outside client

10.0.17.10 -> 195.1.1.10 -> 158.152.1.43

But when outside client wants to talk to server1 directly without load
balancing

158.152.1.43 -> 195.1.1.10 -> 10.0.17.10

However it doesn't appear to get to the server1

Any ideas?

> But it is possible to bind SSH to a VIP. It is even possible to admin all
> your systemen with 1 vip address and different tcp ports (and using port
> translations) witch has the benefit that you secure this single VIP with a
> ACL.

That is a very very nice idea... I am going to recommend it
>
> And you can use your static nat solution. But again, static nat is
> bidirectional (makes no diffecrence if you use "static nat inside" or
> "static nat outside"). When you use static Nat to do source nat it is also
> possible to connect to the NAT address (directly connecting to your internal
> server) . Thats why Nat pools are more secure.
>

If it is bidirectional then the above should work?

Thanks!