?
Solved

Reversing NAT

Posted on 2003-03-26
8
Medium Priority
?
280 Views
Last Modified: 2012-06-27
Ok heres a tough one, and i would be extremely greatful if anyone could enlighten me somewhat, or just bring some ideas forward.

Say i have around 20 computers on my internal network, i also have a dns server and 1 public address.  Say i have purchased foobar.com and have desided to make my dns server authoritive for the domain, i have mapped my internal network machines to johndoe.foobar.com / janedoe.foobar.com and so forth.  My question is, is it in any way possible to make my machines accessible from the outside world by hostname?  A kind of reverse network address translation.

Surely theres something around that can do this?  And if not, why not?

cheers
0
Comment
Question by:DaveHardwick
8 Comments
 
LVL 16

Expert Comment

by:JammyPak
ID: 8210716
this would depend on what kind of access you want to your internal pcs....since you have only one public address, the only thing I could see here is using different ports to forward to different ports on each computer.

for ex., you could set up rules similar to the above:
incoming request to public ip on port 19520 - forward internal to janedoe on port 80
incoming request to public ip on port 19521 - forward internal to johndoe on port 80

incoming request to public ip on port 19522 - forward internal to janedoe on port 23
incoming request to public ip on port 19523 - forward internal to johndoe on port 23
then, from the outside you could do:

http://<publicip>:19520 and get to the webserver on janedoe
http://<publicip>:19521 and get to the webserver on johndoe

same thing with telnet/ssh:
telnet <publicip> 19522 telnets you to janedoe
telnet <publicip> 19253 telnets you to johndoe

it's kinda messy, but it does work.
HTH,
JP
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 8210742
somehow that get messed up a little....(it seemed to think I was typing html)
The urls would be:

<publicip>:19520 to get to janedoe and
<publicip>:19521 to get to johndoe
0
 

Author Comment

by:DaveHardwick
ID: 8211288
Aye this i have considered, What i don't understand is why can't it work like a NAT but the other way round.  I mean why can't a router recognise the request for janedoe.foobar.com and map it to her internal ip address.  

I realise in practicality that if a dns server recieves a request it would just return janedoe's private address which is absolutely no good.  What doesn't make sense to me is i guess is the IF part, why can't this work/why hasn't it been done.  I'm sure it would work pretty much the same as a NAT but the other way round?

There is no system that can map ports from a public ip address to private ip addresses by hostname alone? or anything similar?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 79

Accepted Solution

by:
lrmoore earned 750 total points
ID: 8211333
Two issues:
1. When NAT/PAT is being used, there is no guarantee of ports/maps used by the NAT/PAT translation device-it is all local to that device--unless you specifically map a specific port to forward to a specific internal address, or use static one-to-one nat map.
2. DNS just doesn't work that way. I think you're wanting something like:
jane.mycompany.com = publicip:portx
john.mycompany.com = samepublicip:porty
jim.mycompany.com = samepublicip:portz

There simply is no mapping of ports with dns. IP address only.
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 8211482
To further add to lrmoore's comments - the problem is that your router doesn't look at anything above later 3 - ie. the ip address...your firewall won't typically look at anything above layer 4 (tcp and or upd ports) - there's no way your to set firewall rules or mappings based on the host name in the upper layers of the packet.

JP
0
 
LVL 6

Expert Comment

by:joopv
ID: 8211520
Just to explain a bit more on lrmoore's already very complete answer:
- routers only recognise ip addresses, not names.
- a DNS server translates between these 2
- A NAT router needs PORT information (together with the destination ip address) to correctly route incoming sessions to the correct systems.
- PORT information is not part of the DNS system (except for mail (MX) records).

The solution would be to use a business account with more available public ip addresses.
0
 

Author Comment

by:DaveHardwick
ID: 8211771
Aye this i have considered, What i don't understand is why can't it work like a NAT but the other way round.  I mean why can't a router recognise the request for janedoe.foobar.com and map it to her internal ip address.  

I realise in practicality that if a dns server recieves a request it would just return janedoe's private address which is absolutely no good.  What doesn't make sense to me is i guess is the IF part, why can't this work/why hasn't it been done.  I'm sure it would work pretty much the same as a NAT but the other way round?

There is no system that can map ports from a public ip address to private ip addresses by hostname alone? or anything similar?
0
 

Author Comment

by:DaveHardwick
ID: 8211823
Thanks to all that replied, I think i'm satisfied.
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
If you try to migrate from Elastix to Issabel, you will face a lot of issues. These problems are inevitable but fortunately, you can fix them. In the guide below, I will explain how I performed the migration while keeping all data and successfully t…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question