Routing Issue: Problem or No Problem?

[sjkted]

Hello All,

I maintain a rack in a data center and I recently had my Sonicwall router die on me. I was able to replace it by a lower-end router as a stopgap solution. I am now looking to replace it with a Cisco router and I have a question regarding an issue with the previous router and possibly the future router.

I have one-to-one NAT set up for all of my static and dynamic IP Addresses. For purposes of discussion, let's just say that the internal IP Address 192.168.93.70 corresponds with 207.151.148.70. With my previous router, if I had an internal IP Address, I would not be able to contact any of my boxes via their external IP Address. For example, I would be able to telnet 192.168.93.70 80 and get a connection to my webserver, but the routing wouldn't permit a connection to 207.151.148.70 80 even though that should be the same address.

I had spoke with a few so-called SonicWall experts on this and the general consensus was that this is a limitation of the SonicWall and the OS mine was using. Anyways, I have recently installed a web application that requires the ability to contact boxes via internal AND external IPs. If I buy a router with Cisco IOS and do one-to-one NAT, will I have the same problem as with the SonicWall or will this work automatically?

Thanks in advance!

DR.

 

[pmesjar]

So far I don't know of any problem with NAT on Cisco routers. However the first thing to check on routers in situations as yours is to look at routing table, if it knows what to do with packets that have 207.151.148.70 address.

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[sjkted]

What about a firewall like a Cisco Pix? Will this be able to handle the issue I describe above without blocking packets?

TIA!

DR.

 

[lgarner]

No. That's by design.

 

[sjkted]

Ok. So, if I get a Cisco router and a Cisco Pix firewall, can I add an entry to the routing table so that the boxes with internal IP Addresses can contact themselves via their external IP Addresses without going through the firewall?

This is the part that was unsupported with the SonicWall.
Thanks,

DR.

 

[ChrisAC]

No, this won't work. If the server is configured with an internal IP address then you couldn't possibly contact the live address without going through the firewall as it's the firewall that does the translation.

Also, this won't work with the Pix. The translation only works from one interface to the other. With the Pix you would have a NAT statement like ..

static (inside, outside) <global_IP> <local_IP>

.. so the Pix would only translate between these two interfaces. You couldn't send traffic to the internal interface, have it translated and sent back out the same interface. On this firewall it will not route traffic back out of the same interface that it received the traffic on. I've tested this on a Pix and sure enough it doesn't work.

However, I have just tested this on a Cisco router with NAT and it does work. I can ping the external address from the internal box that the external IP is NATed to!

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[sjkted]

Chris,

Thanks for the info. So, just to confirm, you're saying this works because the packet isn't passing through the firewall -- it just gets routed by the Cisco router?

DR.

 

[ChrisAC]

No. Let me explain.

I tried this with a Cisco Pix (despite knowing that it wouldn't work anyway). It didn't work. The main reason for this is that the Pix will not route "on a stick", meaning that you can't route traffic in through the internal interface and then have it route back out of the same interface. So, with a Pix in front of the server you can't connect to the servers 'real' address as the Pix is responsible for the address translation.

However, I then tried this with a router only with NAT configured. With a router you can route "on a stick" so I can pass traffic to the ethernet interface of the router and it will route that traffic back out of the same interface. So, my PC was configured with 10.19.72.2 with the router on 10.19.72.1 and a static NAT for my external address. From the PC I can ping the live external address.

I hope that this helps.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[sjkted]

Ok. So this is the setup I'm planning to install. As far as I understood from your last post, the router should be routing "on a stick" and the traffic should not even reach the PiX because the router has already taken care of it.

Can you confirm this?

Thanks!

DR.

Cisco PiX
|
Cisco Router
|
Switch
| |
SERVER1 SERVER2


SERVER1 = 192.168.93.70 / 207.151.148.70
SERVER2 = 192.168.93.72 / 207.151.148.72

 

[AdmanOK]

The only device that I have come across that let you go out and back in are Linksys routers... not exactly firewall caliber products though!