Solved

Can't Reach Public IPs Internal Server?

Posted on 2001-08-23
21
597 Views
Last Modified: 2012-08-14
Hi,

We can't reach the public IP addresses on our in-house server (host unreachable) from our NAT clients, but the rest of the Web and our internal networking is fine.

Here's our topology:

Server NIC #1: 192.168.0.7/255.255.255.0 <---> Hub
Server NIC #2: 63.225.95.33 - 37/255.255.255.0 <---> Hub
Cisco 675 DSL Router Ethernet: 192.168.0.1 <---> Hub
Cisco 675 DSL Router WAN: 63.225.95.38(Gateway)/255.255.255.248

Clients: 192.168.0.10/255.255.255.0 (DHCP on router) <--> Hub

The public addresses are hosted on our server and are also shared via NAT.

I tried setting up routes for each public IP to a private IP, but my servers became unreachable.

(I have yet to find a Cisco 675 NAT configuration that works for blocks of multiple IPs that also need static routes.)

I have two NICs so that I don't have file and print sharing on my public IPs and I can do port filtering at the NIC.

Why would the public IPs that I'm hosting be unreachable by my clients?  Is there a simple fix?

Thanks!

Donald Newlands

0
Comment
Question by:donaldnewlands
  • 5
  • 4
  • 3
  • +5
21 Comments
 
LVL 5

Expert Comment

by:vsamtani
ID: 6417090
What's the default gateway on your clients?

It would help if you can print the route tables from the server and the cisco routers.

Vijay
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6417232
donaldnewlands,
your diagram doesn't really make sense.

Where are your two server NICS plugged into?  show us a detailed map.  Also, why do you have a Public IP address on your server if it's internal?  And why are you trying to access your servers public IP address?

To answer your question, you have an asymmetrical routing
problem.  for your internal clients to get to the public IP
address of your server, it has to go to the router, right?
If you have it setup correctly to push that traffic to the server's public address then the server will recieve it on that port but his path back to your internal workstation is out his other port and that can be a problem.  You might want to try putting a static route on your internal workstation that says "route -p add [pubIPaddressofserver]
255.255.255.255 [privIPaddressofserver].
this will cause it to take same path to and return.
I would try something like that.

But, like I said it's hard to tell what's happening because your description isn't detailed enough to even know the physical/logical layout of your network.
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6417579
Donald,
Your description makes sense even if the design happens to be a bit unorthodox.  What jwalsh88 had to say about the routing is true - your internal clients will probably not route through the 675 back to your server.  That is a fairly complex NAT function that most routers will not perform - because it is generally not needed.  

Rather than physically addressing your server with public IP's, a traditional approach would be to keep all internal addresses on the inside and address the server accordingly.  The process of getting those external (or public) IP addresses to your server is a function of NAT.  The router is responsible for mapping the external addresses to the internal addresses.  You have the option of mapping multiple external addresses to 1 internal address or you can give your server multiple internal addresses and map the public addresses to them on a 1-to-1 basis.  This is very typical if you have multiple FTP sites on your server.  This should eliminate the problem for internal users not being able to get to the server, because you are now assigning the server addresses that your internal clients can get to normally, and your external clients can get to via NAT.

Hope this helps,
scraig
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6417592
Sorry just wanted to add this - your configuration steps would be to address the server according to your needs, and then configure static NAT statements on the 675 to map the external addresses to the internal server addresses.
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6417638
scraig84, He has already stated that he wants two seperate NICs for the server so he can control access to that Public NIC differently then the Private NIC.
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6417687
jwalsh88,
I was laying out all the options.  I know that he probably would not want to use just 1 internal address.  However, he can certainly still use that second NIC, replace the external addresses with public addresses and map the external address to those internal addresses.  This would still allow him to treat those addresses seperately.  As long as he doesn't map an external address to one that is performing file sharing, he is getting the desired functionality mentioned and the same level of security.  Let's be honest here though - any time you are plugging your internal and external cards into the same hub (or running them on the same box for that matter) you are running serious security risks.  However, shoring up the security concerns here will be costly to say the least.  Everyone has to weigh the cost vs. security for themselves.
0
 
LVL 4

Expert Comment

by:escheider
ID: 6417911
Looks like Nic with public address has a 24 bit subnet mask where your router has a 29 bit subnet mask.  Im assuming your network is setup as follows:

Internet<--->63.225.95.38/29<--Router-->192.168.0.1<--Hub-->                                                       |
                                                        |
                                          ---------------
                                          |             |
                                   NIC #1            Client
                                   NIC #2

Is this correct?

The reason your clients can get to the internet is because their default gateway is set to 192.168.0.1.  The reason they can't get to Nic #2 is because NIC#2 isn't on the other side of your default gateway.  Looks like you have some design issues.

Sorry if my diagram stinks, kinda hard to do it in this small window.

0
 
LVL 4

Expert Comment

by:escheider
ID: 6417919
I hate drawing diagrams in here.  They never turn out as expected.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6418006
Can you post your 675 config?  
0
 
LVL 55

Expert Comment

by:andyalder
ID: 6418995
Diagram is OK pasted into notepad.
Presumably the 2 NICs have IP addresses on the same private subnet and you can access both of these internally but not the public address that DNS returns which is the outside of the router and the workaround of typing the IP address or having a hosts file entry or internal DNS server is too much of a chore.
You could always bind the public IP address to one of the servers NICs as well as the 2 private ones and also an IP address from that subnet to each client (forget the /29 mask, the router won't know you are doing it) but this is even more messing about.

0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:donaldnewlands
ID: 6419510
Wow!  Thanks for all the replies!

I think that escheider put it most succintly when he wrote, "it looks like you have some design issues". :)  

Regarding escheider's diagram, I'm not sure about the 29 bit mask...  (I know enough only to have gotten myself into this much trouble.)  Generally, we're running translated private traffic and untranslated (?) public traffic on separate NICs in the same server on the same network segment.

Regarding scraig's comment about the "traditional approach",  I tried that but I couldn't get it to work.  I will list the general CBOS configuration that I tried below.

Regarding andyalder's comment about DNS, I'm running a public DNS server on the machine.  I've thought about assiging both a public and a private IP to each service and then looking for a way for DNS or a hosts file to point my clients to the private equivalent for each public address.   But this seems messy.

Regarding router details, the server itself is doing no specific routing or forwarding.

Below is my present CBOS script, which perhaps just needs a simple tweak...?
 
Cisco 675 CBOS setup for NAT on a block of addresses:

set ppp wan0-0 ipcp 0.0.0.0
set ppp wan0-0 dns 0.0.0.0
set int vip0 ip 63.225.95.38
set int vip0 mask 255.255.255.248

set ppp wan0-0 authentication enable
set ppp wan0-0 login username
set ppp wan0-0 password password
set ppp restart enabled

set nat enabled

set web disable
set web port 3333
set web remote 10.0.0.12

set dhcp server enabled
set dhcp server pool 0 ip 192.168.0.10 size 150 netmask 255.255.255.0
set dhcp server pool 0 dns 198.36.160.1
set dhcp server pool 0 sdns 204.147.80.5
set dhcp server pool 0 gateway 192.168.0.1
set dhcp server pool 0 enabled
set interface eth0 address 192.168.0.1
write
reboot

Now, to go with the "traditional approach" and straighten out our "design problem", we should just have to set up the fixed private IP addresses on our server and add a series of statements to our router such as:

set nat entry add 192.168.0.6 80 63.225.95.36 80 tcp
set nat entry add 192.168.0.5 21 63.225.95.35 21 tcp
set nat entry add 192.168.0.4 25 63.225.95.34 25 tcp
...

Right?  I could try again, but so far it doesn't work.

With this setup on the server I had NIC #1 (my "private" NIC) set to 192.168.0.7/255.255.255.0, and 192.168.0.2-6/255.255.255.0 assigned to NIC #2 (the public NIC).

-Donald
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6419555
Donald,
When you say "it doesn't work" - what exactly doesn't work?  Are users on the outside able to access services?  If so, its working.  

You mention that a split DNS configuration is messy, but it is what is needed.  Users on the inside will need to resolve to private IP's and external users will need to resolve to external IP addresses.  Generally, this is done with multiple DNS servers in a wide variety of configurations.  You could use host files like you said, but that does get a bit cumbersome.  I'm assuming that you have a relatively small shop based on the configuration (I apologize if I'm wrong).  What I have seen most often in smaller configurations such as yours, is using a box on the inside to do internal DNS, and contracting the ISP to perform external DNS resolution (this will involve getting the root servers redirected).  Since the databases will be different, they need to be managed completely seperately, so if there is a change, the ISP would need to be contacted.  The only other option I know of is using a "split-brain" DNS product that allows different resolution based on the IP address receiving the request.  I don't know of any of these that come cheap however.

Hope that helps some.
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6419615
This is my best guess:

Internet
  ||
Cisco 675
  ||
-Hub/Switch-==Internal Hosts
  ||
Server with 2 NICS plugged into
Same physical network with seperate IP addresses.
One nic is translated to a public address.

And when you resolve this server it pulls the public address.  Well that traffic gets sent to the router and the router might not be able to translate it to the private address as the request came from the same interface as the traffic would get sent out.  I think it has a problem with translating the IP address only when the traffic comes in the external interface.  I am not sure though since I don't have any experience with the 675 DSL router.
0
 
LVL 4

Expert Comment

by:escheider
ID: 6419776
jwalsh, thats exactly what I had in mind when i tried to draw my diagram.

don:

there are two good solutions for your problem, and other experts may have commented on this, but I didn't read everyones response:

At a high-level overview:

1. Only 1 nic in the server with a private address.  Have all needed ports, from outside your local network, forwarded to this address.  Internal users would access your server on the local network.

2. Only 1 nic in the server with a public address.  Place this on the same physical subnet as the external interface of your router.  Users from the internal network would route across your router.

my 2cents worth..
0
 
LVL 55

Expert Comment

by:andyalder
ID: 6419796
Me thinks neither NIC has a public IP address as far as the server understands although it has multiple private IP addresses since strawberry cycleworks and Portland, Oregon 3D and mdaemon mailhost are there.

scraig84>> You mention that a split DNS configuration is messy.
Well actually it was me that said that but you are the first to say it is not messy and is the proper way to do it. There's no incoming DNS redirection on the config but even if there was the incoming queries could be sent to one box and the internal clients set to query another. It really isn't much extra work, you create a new site and have to manually update 2 servers who both think they are master. Split DNS is the way to go, next week I fit a sidewinder f/w with 2 DNS servers and 3 mailhosts in the same box, wish me luck :)
0
 

Author Comment

by:donaldnewlands
ID: 6420240
Hi,

scraig >> When I say it (the mapped configuration) doesn't work, I mean if I try to access the servers from the outside, they don't respond.

escheider >> I think that's what I've got, except that there are five public addresses on the one NIC and one private IP on the other NIC.

I think in general I will try two things:

1) Try to set up port mappings again so that we have public addresses only at the router (pure NAT).

2) If pure NAT doesn't work, try to set up Win2K Server DNS for a split configuration or contract out DNS services as suggested.

Thanks all!  -- Is there a way to accept all comments as answers or do I have to pick one?

-Donald
0
 
LVL 3

Accepted Solution

by:
rcasteel earned 300 total points
ID: 6424285
What you are experiencing is fairly common.  There are several solutions to it though.  You are basically NATing and internal clients address to a public address..then reNATing the packets destination address froma public address to a private address of the web server.

You can set up an internal DNS zone and point all of your clients to the internal DNS server.  You can then resolve teh web server to the private address for the clients.  This prevents any NAT operations since teh clients are talking directly to the private address...they will never send the packets to the router. Then you caould set up a public DNS zone for the rest of teh world.  This zone will contain your public IP address so the rest of the world can go through the NAT process. The nice thing about this is that it reduces a little of the load on the router.  it also improves network performance since the packets will not have to bounce off of the router.  The down side is that you will need to set up the private DNS zone in addition to the public DNS zone.

Another solution may be possible.  Cisco has recognized this problem and they have a fix for it.  I don't remember what it is called but here is how it works...some routers may not support this but I know the PIX515 firewall does.

Basically the router intercepts all of the inbound DNS responses for your internal servers public Addresses...it then sustitutes the servers internal address into the DNS packet.  The client thinks the name resolved as usual and is happy...the packets to the host doesn't need to be NATted so the double NAT problem is solved.  You do not need to set up any new DNS zones...but you will need a router that supports this...and of course it will have to be configured.
0
 

Author Comment

by:donaldnewlands
ID: 6427611
Right now, I'm using hosts files on on the machines that need it to point them to the private addresses for our servers.

Will Windows 2000 Server DNS Server allow me to set up separate zones for different addresses, or do I have to run another DNS server application?
0
 
LVL 3

Expert Comment

by:rcasteel
ID: 6430250
It depends on what you want to do...if you want the zones to have teh same name, then you will have to have a private DNS and a public DNS each on their own server.

Basically you set up a DNS server inside the firewall and set up a zone MYCOMPANY.COM and only place private IPs in the zone.  Then point all of your internal clients to this DNS server...this DNS server will resolve the names first..then if it can't resolve names, it will send them to an upstream DNS server.  The advantage here is that employees will use the same naming inside the firewall as they use outside....the down side is that it requires 2 DNS servers.

Another alternative is to use a single DNS server and put a zone on it called MYCOMPANY.COM that holds allof the public resolutions.  Then create another zone called MYCOMPANY.LOCAL that holds all of the private addresses.

The down side here is that employees must access your website as WWW.MYCOMPANY.LOCAL when they are inside the firewall and WWW.MYCOMPANY.COM when they are outside.  This configuration only requires 1 server though.

Of course you could always take care of it in the firewall...this is the best way to do it but I am not experienced at doing it...I understand the concept but I haven't actually done it.  I did watch intently as a CCIE did it though. :)

BTW if you are running a PIX515, you should NOT use a 6.x IOS to do this...it really freaks...it starts assuming MAC addresses of the servers iot translates and really really screws things up..
0
 
LVL 8

Expert Comment

by:scraig84
ID: 6433397
I beg to differ that "you can always take care of it in the firewall".  This is highly dependent on the type and version of the firewall in question.  Also, I never noticed any mention of a firewall in the above scenario.  

Donald - unfortunately Win2k does not allow for "split brain" functionality and like rcasteel said, you will either need a seperate server (whether its yours or a provider's) or you can set up seperate zones and have internal users reference the application differently.  This of course does not work well if you are using a name dependant site, such as a site using host-header resolution or a site that is coded to a particular name.  It is also awkward if it is an application that is used by internal users inside and outside the company.  It can be a support nightmare to try and get a bunch of users to reference the app differently based on location.

0
 

Author Comment

by:donaldnewlands
ID: 6433566
Thanks!

Yes having a different name/url to use doesn't work very well for us because there are many places in our site where, unfortunately, the URLs are "absolute".

In the short run, hosts files are working fine and in the long run I'm going to find someone else to host our public URLs (Granite Canyon?).

Regards,
Donald Newlands
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now