Re: question about nat
- From: roberson@xxxxxxxxxxxx (Walter Roberson)
- Date: Tue, 15 Aug 2006 16:44:37 GMT
In article <1155645601.480192.173270@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
rooy <rooy@xxxxxxxxx> wrote:
I have a router configured to translate an external public ip address
to a private address of an internal Ftp server.
From what I have seen, when a packet arrives inside the Lan, thedestination IP address is that of the ftp server (its private address
of course), but the source address is still the real public IP address
of the sender.
Yes, that is a quite common configuration.
This is causing me some problems because this server has another
default gateway (another router) and ftp requests don't get a response.
If the NAT'ing router is accepting traffic from the internet as a whole
then your other router is not configured properly if that other
router is not able to return the traffic to the internet. (If that
other router is also acting as a firewall and is refusing the packets
because it does not have any active "flow" for that traffic, then
you have a network design conflict.)
If the NAT'ing router is accepting traffic only from a limited IP
range, then your server should be configured to have a more specific
route for that IP range that points back to the NAT'ing router. This
would include the case where the NAT'ing router is acting as a VPN
server: the valid VPN address ranges should be routed back
to the NAT'ing router.
Return routing can be a problem when you are transfering different
data from the same source along different paths, such as if you
are prioritizing ftp along a dedicated link but wish other traffic
to go through the other route. In a situation such as that, normally
the default gateway would be set to the faster (or more flexible) device,
which would use "policy based routing" (PBR) to select which traffic
went which way.
Is it possible somehow to have the router to translate not only the
destination address but also the source address? If the server saw the
packet coming from the router and not from a public Internet IP
address, I think it would be able to respond back correctly to ftp
requests through the same router.
Is it possible? or is there a better way to do this?
Translating source addresses as well is possible, at least with
some versions of IOS for some devices. (I don't have any
idea at the moment of how common the facility is in modern IOS versions.)
Translating the source is a technique I have used with a Cisco PIX
firewall (in a situation where policy based routing was not feasible.)
I am quite rusty on NAT for IOS; I believe there is an
"ip nat source" as well as an "ip nat destination".
.
- References:
- question about nat
- From: rooy
- question about nat
- Prev by Date: CSS 11503 Gig over Copper Ports - Talk to Fast Ethernet?
- Next by Date: Re: Discovering enabled & configured router features via SNMP
- Previous by thread: question about nat
- Next by thread: Multilink 3 x PR ISDNs
- Index(es):
Relevant Pages
|
