• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 580
  • Last Modified:

how to know the publc ip address is actually NAT ed

I'm  going to establish a vpn connection with a public ip address on the destination .
However, how can I test to ensure that the destination public ip address is not actually NAT (ed)?

1 Solution
Not sure what you are asking...public IP's are not NAT'd that I know of, can you explain what you are asking a bit more?
If I follow what you are asking then I would be suprised if the Public address was NOT NAT'd to a private (internal) address at the firewall of the receiving location.  

I have to agree with smckeown777 that more information, better explanation is needed.
peteryauAuthor Commented:
It was happened in a case before that even though the ISP assign a publc ip address, the cisco vpn router cannot establish a vpn connection because the real ip detected is not the pubic ip address assigned.
So I want to test if the public ip address is NAT'd . (or is a real pubic ip address)
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Ok I think I know what you are asking...some ISP's allocate public addresses but a different public address for the router

In this case I've no way to determine(that I know of) if the address is NAT'd, but can you ask the other side if they've got their router setup correctly?

To make this work they need a NAT rule mapping the public IP to the private, without this nothing will work correctly...

Course the other way to know is does your VPN connection work? If not then they haven't the rules setup on their end...
peteryauAuthor Commented:
does it mean if the ipsec works on the vpn conneciton test, then I don't need to worry about the bad experience I encountered before?
Em...well if the VPN connects and you obtain IP/connection then yes you are ok...least I think you are...unless I've missed something
typically when you configure a VPN such as that, you would only configure the public/NAT IP on the crypto map and then the NAT rule handles the rest in the background.

at least on a Cisco ASA that's the way it works, you configure your host IP object with it's real/internal IP and then specify it's NATed IP. Then when building the IPSEC tunnel you just specify the public address in your crypto map.

if your private IP isn't part of your tunnel configuration then it wouldn't be exposed to the peer. generally speaking, if you want to test the NAT itself you can just go to whatismyip.com or similar from the host is question and see if it returns your dedicated NAT IP or the overload address.
peteryauAuthor Commented:
I can establish ipsec vpn connection usiing both dratek router on each side. I don't know it means I can do it using cisco vpn router at both side again?
I have checked using whatismyip.com on a workstation behind the destination router (NAT) and it shows the fixed ip address of the public address of the destination router. Does it means OK?
If you can connect the VPN with one router there's no reason a different router will not work...that I know of

As for the NAT check that test isn't going to work, since a workstation on the destination network will ALWAYS show the destination router's public IP - since the majority of pc's behind a router are using the basic NAT translation - i.e. they all use the router's public IP as their public IP

Need more details on what is on the destination end to put this to bed...

I'll explain as best I can
Some ISP's allocate a block of public IP's to a customer - one of the IP's is allocated to the router and the others to servers behind the router
Lets say you got - for example

Router is

Now 99% of pc's/laptops/servers behind the router use the default NAT rule - which basically says everyone on the inside uses the router's public IP for access to internet
In the cases where you need a server to have a seperate public IP(one of the other IP's from your block) in order to make it work you need a static NAT rule on the router saying

2nd Public IP - internal private IP -

Without this NAT rule the server behind the router will default to use the existing NAT rule and when you browse from it to whatismyip.com it will report the router's public

If you've added the proper static NAT rule, when you browse to whatismyip it will now report the actual public IP you expect

So in those cases that's where you can determine if a public IP is actually being allocated/used correctly

But I dont think any of this applies to you since you've already established the vpn circuit, so the only issue may be the difference between a Cisco and the Draytek

Or...the destination router's public IP(which showed up from whatismyip - is this the actual public IP you are trying to connect to?)
If it is then you are good to go...

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now