Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

IPV4 to IPV^ translation or proxy solution

Posted on 2011-03-01
9
Medium Priority
?
1,112 Views
Last Modified: 2012-08-14
I have the need for several hundred publicly facing ssl enabled virtual servers which provide software services to clients. I know that getting a class C from my provider is a no go from the start so I am wondering if there is a way to convert 1 or 2 public ipv4 addresses using a proxy or some other translation software in my dmz to redirect.  Almost a host header type solution where I could resolve via authoritative dns records the ipv6 address locally from the incoming ipv4 which would be used to get the traffic to the dmz.  Each virtual machine has multiple self contained services ( email,mysql,line of bus software) and due to regulatory requirements I need to be able to be able separate the clients into discrete environments.

Thanks for any thoughts possible solutions
Chris Clanton
0
Comment
Question by:cclanton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35014455
I use reverse proxy to resolve the same IP using different headers into different discrete back end servers. e.g.
abc.com and def.com all resolve to the same IPv4 address.
The request go to the reverse proxy, which look at the http header. it redirect abc.com to 10.1.1.1 and def.com to 10.2.1.1 etc.

Will this help?
0
 

Author Comment

by:cclanton
ID: 35017194
Let me make sure I have my noodle wrapped around this.I have 200 unique ipv6 addresses that  have virtual servers running. I advertise the single ipv4 address to the world it is propogated through remote dns's, when a remote user types in abc.domain.com or smtp.domain.com  the users dns resolves to my public ipv4 address whichin turn  transports them to my proxy which in turn inspects the request which I assume still has the abc.domain.com imbedded within, the proxy translates the address based upon the unique header information ( which I am assuming is still available within the packet) and targets the coresponding ipv6 address allowing full port access to the ipv6 based machine ( ie port 25,443,80 etc ) on a ipv4 network.
Am I understanding this correctly because it seems that it would make ipv4 to ipv6 pretty simple if all the assumptions I am making are correct.

Thanks for any insights
Chris Clanton
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 750 total points
ID: 35020250
I would honestly stay away from a proxy solution and utilize NAT-PT for IPv4 to IPv6 protocol translations. It will in the long run, be a  much better solution in the end. I have seen companies invest in many hours of proxy implmentations only to go back to the drawing board and go with a NAT-PT solution.

If using Cisco:

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-nat_trnsln_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1057020

0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 13

Assisted Solution

by:GuruChiu
GuruChiu earned 750 total points
ID: 35021189

If I understand correctly, Chris only have a limited number of IPv4 addresses, less than the number of hosts he need. Static NAT-PT usually have 1 to 1 mapping for the same protocol (e.g. http). e.g. If Chris need to run 200 web servers but he only have 10 IPv4 addresses, NAT-PT is not going to help.

Yes, for http traffic, the reverse proxy is able to examine the packet and find out the URL header. I use if for many customers with good results and never need to go back to the drawing board with a NAT-PT solution.
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 35021365
> If Chris need to run 200 web servers but he only have 10 IPv4 addresses, NAT-PT is not going to help.

Correct, he would need a named based SSL Solution:

>Almost a host header type solution where I could resolve via authoritative dns records the ipv6 address locally from the incoming ipv4 which would be used to get the traffic to the dmz.

there is a named based solution for SSL on some platforms and depending on other several factors:

http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/

Billy
0
 

Author Comment

by:cclanton
ID: 35021581
The comment about the limited number of ipv4 addrees's is correct so I cant use a one to one mapping looked at the apache solution and could not really tell if this is just a solution for ssl web traffic or could I have ports available for  ftp,smtp,http,https. Also looked at the cisco implementation which looks interesting.

So I guess my question should really be refined to is there a solution that would allow the ipv4 world to get to my public ipv6 adress's that host a virtual server having access to all standard ports.

Thanks
Chris Clanton
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35023263
If we know nothing about the application, there is no way to "allow the ipv4 world to get to my public ipv6 adress's that host a virtual server having access to all standard ports". The key here is "access to all standard ports". Any trick to map fewer IP addresses to more IP addresses I know either take advantage of port mapping, or know something about the application (e.g. http) which can do some form of mapping or redirection.
0
 

Author Comment

by:cclanton
ID: 35029138
I control both sides of the application so based upon the the above information I am thinking that I need to implement ipv6 on the client end to circumvent all the weirdness associated with ipv4 to ipv6 translation.
Thanks for the input
Chris Clanton
0
 

Author Closing Comment

by:cclanton
ID: 35029175
The real solution was niether as each contributor elaborated of the limitations of both solutions, This made the apprpriate solution apparent.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question