Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

IP Forwarding via manipulating receiver's IP address in TCP/IP header of packet

Posted on 2006-06-05
10
Medium Priority
?
635 Views
Last Modified: 2008-02-01
Hello

We are moving our IP block to a different provider's data center from our own back room and wish to help the transition by allowing IP Forwarding via manipulating the receiver's IP address in TCP/IP header of packet.  We wish to take a WAN request destined for an old IP address and simply forward that request to our new IP address by changing the TCP/IP header packet's receiver's IP address.

It seems to me that a hardware device such as the Cisco should be able to substitute the receiver IP address and just sent the packet along back out to the WAN with the manipulated "receiver IP address".  Any hints to doing so would be greatly appreciated.

Hardware avaliable:
Cisco 2600 series
SonicWall 3060
Unix boxes: Mac OS X or Linux

TIA
My best
Stoney
0
Comment
Question by:stoneycook
  • 3
  • 3
  • 2
8 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 16835780
This is how you can do this.

Connect your old Internet Connection and New Internet Connection to the cisco router.

Then you can enable NAT on new Internet Connection interface. and do a static map between old IP and new IP address.

Old Public IP-------|Router|--------New Public IP

Now do a simple static mapping between Old Public IP address to New Public IP address.

so suppose if a request comes for old public IP say 63.x.x.x then it will be forwarded to new public IP say  89.x.x.x.

0
 

Author Comment

by:stoneycook
ID: 16836322
Dear Prashsax

Thanks for the quick response.  Unfortunately we do not have a separate Internet Connection (T-1 or whatever) to our new data center.  We access it via WAN or have just started to setup VPN tunnels between the new facility and ours.

Can Cisco perform NAT translation between two different IP address on the with the SAME Internet Connection Interface?

My best
Stoney
0
 

Author Comment

by:stoneycook
ID: 16836410
Opppps.

Of course not.  Stupid question.  It's NAT and by definition it's mapping between enternal and internal.  On the Cisco between on ethernet and serial I guess.

Sorry for the comment.
Stoney
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 13

Expert Comment

by:prashsax
ID: 16836411
OK, so have one internet connection and you have configured VPN to the new site on the same Internet connection.

Now, you want to redirect traffic coming from internet onto the VPN.

Is that correct.
0
 

Author Comment

by:stoneycook
ID: 16836762
Yes we do have a VPN tunnel between our location on our old IP and the data center on our new IP range.  However I was looking for a simple solution to just "covertly modify" the IP header packet and change the destination IP address the header.  Then we could just pass that modified request back out over the WAN to the new destination and the original requestor wouldn't care that the IP address had changed.

Presently we are dual homed with 4 T-1's which load up at peak .  Working with the VPN tunnel over our local SonicWall 3060 Firewall to our newly installed Fortigate Firewalls has proven less than optimal as traffic would come in then tunnel to the new location and tunnel back prior to broadcasting back to the originator.

I was hoping for a simple solution that would just covertly redirect and not send traffic out and back over the VPN tunnel.

My best
Stoney
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 16839683
>Of course not.  Stupid question.  It's NAT and by definition it's mapping between enternal and internal

*Not* by definition - only by broken cisco terminology.  Linux could do this (translate IP destination) with no regard for what interface on which the packet arrives or leaves - as such, I'm guessing cisco could probably do it, but the configurarion might be a little tricky.

Cheers,
-Jon
0
 
LVL 13

Accepted Solution

by:
prashsax earned 1000 total points
ID: 16842132
Yes, The-Captain is correct, Linux could do Source as well as Detination NAT.

I have seen it with Smoothwall and MoNowall(Both are Free Linux Firewalls).

You could try one thing. First Setup a one to one NAT from Public IP to Linux Box.

Then on Linux Box, setup Source NAT and Destination NAT, so that the packet is again sent to same router with different source and destination address.
But the configuration might be tricky. But the good thing  is that both smoothwall and Monowall has graphical interfaces for configuration. So you could try it quickly. May be set it up in a MS virtual PC and give it a try.




0
 
LVL 16

Assisted Solution

by:The--Captain
The--Captain earned 1000 total points
ID: 16846621
>But the good thing  is that both smoothwall and Monowall has graphical interfaces

That's a good thing?  As far as I've ever seen, those GUIs *never* support everything you can do with iptables on the command line.

I don't need no stinkin gui - it's a one-liner.

iptables -t nat -I PREROUTING -d <old IP> -j DNAT --to-destination <new IP>

You might also have to turn off ICMP-redirects, but I doubt it.

As I said, since linux can do it, cisco should (not "could", but certainly "should).  Any cisco gurus reading this?

Cheers,
-Jon
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question