Solved

External IP address behind a NAT router

Posted on 2004-08-09
21
10,054 Views
Last Modified: 2007-12-19
Is it possible to have a machine with a public ip address running a web server behind a router that has NAT enabled? I was always under the impression that anything behind the router had to have an internal ip ie 192.168.X.X.
0
Comment
Question by:paulm235
  • 3
  • 3
  • 3
  • +9
21 Comments
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
It depends on the router (You can't with Cisco), it may be possible to do so but the real question is why would you want to?

Consider this, if you addressed an inside server with an IP address different from the internal subnet, all internal web traffic to the server would have to traverse the router to reach the server instead of simply going through your switched network.  This would severly impact performance.
0
 
LVL 2

Expert Comment

by:EvilAardvark
Comment Utility
What's stopping you from using the internal ip address on the web server and just forwarding port 80 TCP traffic to that computer?

Then it has the external address of the router, plus the security of NAT.
0
 
LVL 3

Accepted Solution

by:
ynaught earned 500 total points
Comment Utility
Paulm235,
     I think you are right the machine beside your router will have to have an internal IP unless you want to get into multiple network cards.  You have a few options here.   Both involve giving your web serving machine a private NAT address but it will still work as a web server and people will still be able to access it as a web server using the external address.

1) Best solution in my opinion,
Set up a one to one NAT if your router supports it (Sonicwall has this feature).  If you have a Linux box as a router I can forward the commands to setup one to one NAT.
One to one NAT will take all the traffic pointing to an external IP and forward it to the internal IP and all the Network traffic from the internal IP will appear to be leaving the router from the external IP assigned in the One to one NAT.  You will not have to worry about ports or having other web servers on your network as all the traffic going to the external IP of your web server will be forwarded by your router to the internal NAT IP of your web server.  I hope that is clear.  If you would like me to explain more I will be happy to answer any further questions.

2) Alternative solution
Again giving the web server inside your network an internal address setup port forwarding on you router to forward all traffic to port 80 to the internal address of your web server.  I think if you want to run https you will also have to forward port 443.

I hope this is helpful and I understood your question.

Regards,
0
 
LVL 27

Expert Comment

by:pseudocyber
Comment Utility
You CAN with Cisco - but not the way you describe.  What you would do is put the public IP on the OUTSIDE and create a static NAT (one to one).  I don't believe you can do this with most SOHO routers.
0
 

Author Comment

by:paulm235
Comment Utility
The guy I work with went to a site and rebuilt one of their servers which has their web server on it. He claims everything is behind the SonicWall (router) yet the machine that's hosting their website has an external ip assigned to it. I was confused as to how (or why) he would have done this.
0
 
LVL 27

Expert Comment

by:pseudocyber
Comment Utility
I'm not familiar withthe SonicWall router ... but perhaps there's a DMZ port - where it bridges (so it's on the same outside network) over to that port, but the rest are on the inside?
0
 

Author Comment

by:paulm235
Comment Utility
ynaught - If you set up one to one NAT to a particular machine and you have other machines that need to be accessed from the outside can you use regular NAT along with the one to one NAT?
0
 
LVL 3

Expert Comment

by:ynaught
Comment Utility
With one to one NAT you will have to have at least two external IP addresses one for your web server and one for everything else. Sorry I should have added that, I guess that is a big draw back.  We use this method where I work with the sonicwall and it works well.  You may just have to request an aditional IP from you ISP.
Regards,
0
 

Author Comment

by:paulm235
Comment Utility
They actually do have more than one ip. So then you are saying that normal NAT can be used in conjunction with the one to one NAT?
0
 
LVL 27

Expert Comment

by:pseudocyber
Comment Utility
What do you consider normal nat?  Normal nat to me is a static nat - one to one.  If you're doing on a SOHO box, then that's dynamic NAT - or overload - where one address on the outside represents many addresses on the inside.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 3

Expert Comment

by:fatlad
Comment Utility
In most cases you would be far better off placing the webserver in a DMZ rather than having on the main trusted LAN, this will require a higer grade firewall as you will need three interfaces (outside, DMZ and trusted).

This will solve most of the NAT problems. Could the SonicWall have a facility to create a subinterface and then run VLANs on the WAN, creating a virtual DMZ? That way it would appear to be on the same LAN but able to have different IP address scheme.
0
 
LVL 3

Expert Comment

by:ynaught
Comment Utility
Yes, normal NAT can be used in conjunction with One to One (Static) NAT.   You can have a single External IP pointing directly to your private IP on your web server through One to One NAT and then you can also have a different single ip used through NAT for all your other computers.  Again this is how I am setup with one of the companies I support using a Sonicwall SOHO 2 supporting both One to one NAT and NAT.
Regards,
0
 

Expert Comment

by:johnocooper
Comment Utility
I do exactly this, e.g., run a web server behind NAT.  The reason is it simplies wiring considerably.    Internal address is 192.168.0.66 and external is 67.122.187.66 and I use IP mapping to connect the two on a Cayman 3546 router.

This does lead to othe rinteresting problems, such as not being able to reach your own web site (from your LAN) w/o some source of local DNS, i.e., no NAT U-turns at least the Cayman does not support it.
0
 
LVL 5

Expert Comment

by:intreeg
Comment Utility
You would need to access your site using the NATed IP if you trying to access it from behind you firewall.
0
 
LVL 1

Expert Comment

by:mtc_com
Comment Utility
Hi paulm235,

You are right we can put the webserver with public ip address behind the router.But lissen,if u assign public ip address on webserver then u have to put strong firewall for security because there are lot of hackers they definatly crack ur webserver.

You can host webserver with private ip and this will give u better security.all above members are right.see paulm235 there r many ways we can host web server some of...

1.  assign public ip address and just impletment security things and observer ur server and forget it..

2. second secured way is assign private ip like 192.168.X.X,or 172.16.X.X.Configure ur router to forwar the traffice of Port 80 and 8080 if ur using secure pages and on the router create a NAT so that traffic related to the web server will be forwarded by router to the webserver.

3. third is install 2 network cards into webserver.configure external ip address on one cards..disable the Netbios over tcpip and ports like 135 and other ports if u r using windows 2000 based os.and configure othe network card with private ip and installed Winproxy 4.1 on server.

Advantages of winproxy server..
NAT facility is avialable,port mapping is avilable..and many more facility is avilable.

if u want to any thing else tell me i will guide u..


narendra
Systems Administrator
 

 
0
 
LVL 2

Expert Comment

by:SKCCSUPPORT
Comment Utility
Yes.   You can put public address behind the NAT router/firewall.  After any external addressess (public address) NATed to internal address (in this case, public address), the internal address will be treated as a private address.  Because after an address been translated, the outside world (external) doesn't know about the inside world (internal).  So, what you need to do is create a static route or some route to translated address which is your web server (public).  

For example, your ISP provider gave you a range of public addressess.  Let said 66.192.120.0/24 (/24 indicate subnetmask 255.255.255.0).  Now, you want to use 66.192.130.0/24 as public address instead of 192.168.0.0 /16.   What you need to do is NAT an ISP provider address(66.192.120.10) to 66.192.130.10 (web server).  After you NATed, create a static route to the web server.  So that the NAT router forward the packet to your web server instead of send it out to the default gateway.  When the packet send to 66.192.120.10, it will forward to 66.192.130.10

I hope this help.

-Charlie

0
 
LVL 5

Expert Comment

by:intreeg
Comment Utility
Nice Answer Charlie!
0
 

Expert Comment

by:edgecombe74
Comment Utility
I have a simlier question. I have a DSL modem that is assigned a static public IP. I want to use the Sonicwall router for my firewall. If I asign another static public IP to the Sonicwall, how should go about getting internet traffic to go to my webserver, which will be behind the Sonicwall? The reason I ask is because my DSL modem also does NAT, and I want to know how this will relate to the Sonicwall
0
 
LVL 5

Expert Comment

by:intreeg
Comment Utility
edgecombe74 please post a new question with you model number of you router as well.
0
 

Expert Comment

by:edgecombe74
Comment Utility
I plan on purchasing a Sonicwall TZ 170. I already have a Netgear FVL328 VPN router. My DSL modem is a 2 Wire home Portal with a built in Router/switch. The modem was assigned a static public IP by my ISP. I want to replace the Netgear router with the Sonicwall TZ 170. My Webserver will be behind the Sonicwall. I also want to do a VPN with the same machine.
0
 

Expert Comment

by:GIASPACE
Comment Utility
Use port forwarding of on the router to forward port 80 to the local ip address...192.168.0...of the webserver. This will direct all webserver traffic behind the firewall.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
CISCO refresh sheets 2 32
MAC Needs 2 Domains 2 42
Backup DHCP Server 8 67
Reload DC in a single server environment 5 55
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now