Access to a PAT-ed network questions.
rossonieri#1
Member Posts: 799 ■■■□□□□□□□
in CCNA & CCENT
does PAT-ed network can be accessed by a static route?
for example :
ip route 192.168.0.0/24 172.16.0.2. -> can it be done?
just wondering
because afaik, it uses ports to differentiate the connection right? well if it can be accessed by a static route - then the concept of PAT/ICS will fall down.
for example :
ip route 192.168.0.0/24 172.16.0.2. -> can it be done?
just wondering
because afaik, it uses ports to differentiate the connection right? well if it can be accessed by a static route - then the concept of PAT/ICS will fall down.
the More I know, that is more and More I dont know.
Comments
-
Drakonblayde
Member Posts: 542
well, you can certainly define that all traffic being sent to a certain address will go follow a certain route, but there's no guarentee you're going to get a response. Most routers will drop packets that have addresses that fall in the RFC1918 address spaces.
PAT uses ports to differentiate the connections, yeah, but the ip address itself is being translated as well. The outside world will never see a packet coming from the private space behind the network, all they'll see is the ip address of the interface that's sending the packet outside of the internal network.
I suppose you could try source routing a packet to an ip behind the firewall, but any network administrator who allows that kind of traffic through his network needs to be shot and admitted to hell as it's chief damned soul for such a cardinal sin.= Marcus Drakonblayde
================
CCNP-O-Meter:
=[0%]==[25%]==[50%]==[75%]==[100%]
==[X]===[X]====[ ]=====[ ]====[ ]==
=CCNA==BSCI==BCMSN==BCRAN==CIT= -
rossonieri#1
Member Posts: 799 ■■■□□□□□□□
ok,
if the PAT-ed network has a public DHCP address from ISP - the ICS server will giving address like 192.168.0.0/16 to its network. and how can i differentiate which one of the host serving DNS, WWW, FTP etc.
well, if i use NAT with pool - i surely can point a specific IP to the service. but how about PAT??the More I know, that is more and More I dont know. -
tunerX
Member Posts: 447 ■■■□□□□□□□
You use NAT overload with static translations to get this done.
DNS - 192.168.1.6
WWW - 192.168.1.7
FTP - 192.168.1.8
SMTP - 192.168.1.9
ip nat inside source list 7 interface serial 0 overload
ip nat inside source static tcp 192.168.1.6 53 80.19.125.2 53
ip nat inside source static udp 192.168.1.6 53 80.19.125.2 53
ip nat inside source static tcp 192.168.1.7 80 80.19.125.2 80
ip nat inside source static tcp 192.168.1.8 21 80.19.125.2 21
ip nat inside source static tcp 192.168.1.9 25 80.19.125.2 25
interface e 0
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface s 0
ip address 80.19.125.2 255.255.255.252
ip nat outside
access-list 7 permit 192.168.1.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 80.19.125.2 -
tunerX
Member Posts: 447 ■■■□□□□□□□
DrakonBlayde,
I got a port forwarding question either on the BSCI or the BCRAN (I cannot remember). I did get an overlapping question on the CCIE written. It would be a good idea to learn the different ways to forward and also how to use overlapping nat. -
rossonieri#1
Member Posts: 799 ■■■□□□□□□□
ok, and wow. thanks tunerX...
the More I know, that is more and More I dont know. -
Drakonblayde
Member Posts: 542
I guess I misunderstood the question then... Yeah, I know how to forward ports, I've got my services running on different boxes behind a single router with a single public IP address.
I thought he was asking if you could get past NAT/PAT with a static route, I assumed from the outside, and that's just not gonna work. I see what he's trying to do now, he's trying to hit different services from outside the firewall, to different machines inside, and you don't need a static route for that, just a public IP on the wan interface, and proper forwarding rules.
So the answer to his initial question is no
= Marcus Drakonblayde
================
CCNP-O-Meter:
=[0%]==[25%]==[50%]==[75%]==[100%]
==[X]===[X]====[ ]=====[ ]====[ ]==
=CCNA==BSCI==BCMSN==BCRAN==CIT=
