[41363] in North American Network Operators' Group
Re: Where NAT disenfranchises the end-user ...
daemon@ATHENA.MIT.EDU (David Howe)
Fri Sep 7 05:32:01 2001
Message-ID: <00c501c1377f$a03533a0$c71121c2@sharpuk.co.uk>
From: "David Howe" <DaveHowe@gmx.co.uk>
To: "Email List: nanog" <nanog@nanog.org>
Date: Fri, 7 Sep 2001 10:29:33 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
"Roeland Meyer" <rmeyer@mhsc.com> wrote:
> Absolutely true. I'll take that clarification.
Not one of mine, but more or less what I was thinking.
> |> which of course *is* possible for at least one machine per visible IP
> |> address - even if additional IPs are masqed behind it.
> if you are doing one:one NAT then why do NAT at all?
Plenty of reasons - you can have an entire 1918 network behind there, and
only one or two machines "visible"; by using NAT rather than directly
feeding those IP addresses to the machines involved, you simplify routing
and separate admin of internal and external (if you need to fall back to a
backup machine, you can have it running live in parallel, and one config
change on the NAT will change the visible machine)
It is pretty common practice for a company with a small (/24 say) allocation
to static-NAT one or more to individual servers inside their lan,
particuarly if those servers have functions like web proxy or email server.
> if you are doing one:many then it won't work (broken).
no, it *will* work for the one that is the default.
working from a one-IP allocation, let us assume a 1918 subnet on
192.168.123.x for the backend lan
"web.mycompany.com" 192.168.123.5
"ftp.mycompany.com" 192.168.123.10
"webproxy.mycompany.com" 192.168.123.15
"Teleconferencing.mycompany.com" 192.168.123.20
"natdevice.mycompany.com" 192.168.123.25
Workpc1-->Workpc40 192.168.123.101 -->192.168.123.40
bearing in mind that "natdevice.mycompany.com" is also the external visible
IP (via a separate interface) do suitably stateful Nat:
for inbound port 80 - rewrite packet to web.mycompany.com
for inbound port 25 - rewrite packet to ftp.mycompany.com
for outbound from webproxy.mycompany.com or teleconferencing.mycompany.com -
do stateful NAT
for outbound from any other machine - ignore
for inbound not covered by above - rewrite packet to
Teleconferencing.mycompany.com
with this setup, Teleconferencing.mycompany.com will appear to the internet
to be listening on whatever ports it chooses to support, and also appear to
be doing a whole heap of other things that it really isn't. In practice, a
company would probably want to spread out the IPs here a little and get a
bigger allocation, but it *could* be done this way if it had to be.
