NAT firewall routing question

binarysoulbinarysoul Member Posts: 993
How do NAT firewalls routes when an external network tires to access a node on the internal network? Assume that the external network is configured to pass through.

Let's say I'm the external company with IP of 142.1.2.0 and I know that ACME company has a server with IP of 172.16.2.3, the private IP.

How do packets are routed? What is the destination IP of packets going from my network?

Comments

  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Acme has to have at least one public IP at their border device, which will then perform the NAT based on rules set by an administrator, such as any packets destined for ACME public IP on port 80 go to the web server at 172.16.2.3. If it's a packet destined for the public IP of ACME but with a destination port of 25, send that to the internal mail server at 172.16.2.4, etc.
    All things are possible, only believe.
  • binarysoulbinarysoul Member Posts: 993
    sprkymrk wrote:
    Acme has to have at least one public IP at their border device, which will then perform the NAT based on rules set by an administrator, such as any packets destined for ACME public IP on port 80 go to the web server at 172.16.2.3. If it's a packet destined for the public IP of ACME but with a destination port of 25, send that to the internal mail server at 172.16.2.4, etc.

    What if ACME has 10 servers running on port 80? When packets come in, how do the NAT firewall knows which server to route to, given the incoming packets don't know the internal web servers' IPs?

    This isn't a trick question :) I simply don't know a lot about NAT firewalls icon_sad.gif
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    binarysoul wrote:
    sprkymrk wrote:
    Acme has to have at least one public IP at their border device, which will then perform the NAT based on rules set by an administrator, such as any packets destined for ACME public IP on port 80 go to the web server at 172.16.2.3. If it's a packet destined for the public IP of ACME but with a destination port of 25, send that to the internal mail server at 172.16.2.4, etc.

    What if ACME has 10 servers running on port 80? When packets come in, how do the NAT firewall knows which server to route to, given the incoming packets don't know the internal web servers' IPs?

    This isn't a trick question :) I simply don't know a lot about NAT firewalls icon_sad.gif

    It may use host headers on the web server, so depending on if the request was for www.acme.com or www.acme.net it will direct it to whatever server/port it needs to go to. Other times, there may be a load balancer. It really depends on the individual situation. Sometimes, a situation will arise where a NAT solution just won't work or will simply not be the best solution for a situation. A company that has 10 web servers is likely to have more than 1 public IP.

    It's a fair question though, maybe someone else can explain it better. I don't seem to be coming up with the right words... Must be tired. :)
    All things are possible, only believe.
  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,174 ■■■■■■■■■□
    I think you explained it as well enough. If Acme wants a bunch of web servers that are publicly accessible on port 80, there would have to be either a public to private address translation for each of the servers or some kind of logic on the back end to handle the requests like host headers.

    The external company doesn't need to know the internal private IP and it wouldn't do them any good anyway, all they need to know is their public Internet IPs and their NAT device will take care of the rest.

    This type of nat you are referring to is destination nat. Once the firewall receives the packet, it changes the destination address on the packet from Acme's public IP address to the internal address that is in its NAT table before it routes the packet to the internal destination.

    There is also source nat, where an internal host send out a packet, and when the packet reaches the firewall, it is routed to the correct interface, and then the source IP is changed from the internal device's IP (usually a private address) to a publicly routable address. If you are at home behind a linksys router on your internet connection, it is doing a form of SNAT.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,799 ■■■■■■■■□□
    [Pedantic] Really it's PAT (Port Address Translation)[/pedantic] :)

    When Address Translation is used one more than a one-one basis (ie.e one internal to one external IP), ports are used by the translation device to keep track of the flow. Connections as you know are formed based on Client IP and Port + target IP and Port, at least one of the combination of IP and port must be unique for multiple clients to attach. Ie. You have one external IP and 2 inside clients each one access a web page on a remote system on port 80, the firewall builds a translation table something like:

    PC1 (192.168.1.10 : 10000) -> Firewall (100.100.100.1): 10000 -> Remote server:80
    PC1 (192.168.1.20 : 10000) -> Firewall (100.100.100.1): 20000 -> Remote server:80

    You'll see in the example the ports (1000, just chosen at random) are the same for both internal clients, but they have unique address when presented to the Firewall so it can accept and track the connections. The firewall has one IP on the outside but dynamically creates new Port numbers when necessary so that both the target server and the Firewall's translation table can maintain the 2 different connections.

    In reverse where you want to use one IP to serve multiple internal servers with inbound traffic Cisco call this type of operation Static PAT, where multiple ports on one external (well could be any but it's usually external as this is the most common use) IP are statically mapped to different Internal IPs/Ports. The Firewall itself cannot route to different multiple internal IPs from one external port, you would need some sort of application level service to do that (as Sprky mentioned there would have to be a service in place to differentiate based on URL, there may be appliances out there custom built to integrate the functions but strictly speaking it's not a Firewall function), or you could specify the different external port numbers to use in your URLs from a master page that does the sorting. So if you want multiple servers accessible on the same port externally you need multiple IPs or some sort of application service. If you want multiple servers accessible on different ports externally but the same port internally that will work fine, as you write static translations on the firewall to map it's one external IP with different ports to the different internal servers on the same ports. i.e.

    Internal Web Server 1: 192.168.2.10:80 <- Firewall (100.100.100.1: 80) <- (request to 100.100.100.1: 80)
    Internal Web Server 2: 192.168.2.20:80 <- Firewall (100.100.100.1: 8080) <- (request to 100.100.100.1: 8080)

    In the example above a client going to 100.100.100.1:80 will be directed to Web Server 1. If that client specified (or the URL/Link they followed did) 100.100.100.1:8080 they get sent to Web Server 2
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.