NAT & Static IP Addresses

[bigdavelamb]

Hi there, I yesterday ran into a problem, I have a customer who has five static valid external ip addresses and some clients with only internal addresses, I tried to setup the router/modem to use NAT as well as use the statics as I wished to install PCAnywhere on the static addressed PC's and allow remote admin of the router, however I could not seem to get the PCAnywhere traffic thru the router, would the fact that I had NAT enabled stop this? Is it possible to get a firewall type box that allowed me to close all ports and just open PCAnywhere ports that can then route thru to the static addressed external valid clients (the SMC Barracade would not do this). What is the best solution? I thought maybe I could just use NAT and remove all the statics totally and just use different non standard ports for PCAnywhere.

Would really appreciate someone helping me out please.

Thanks.
Dave

 

[Grenage]

NAT is almost certainly the cause.

You could enable port forwarding on the PCAnywhere ports but you will be restricted to 1 machine per port?

 

[AlexIT]

A many-to-many NAT would allow you to access multiple (up to number of public IP) machines...

Do they have the five public IP machines secured at all?

Alex

 

[bigdavelamb]

Hi there, thanks for the post. They have no other security other than what is provided with the modem/router itself. What exactly is many-to-many NAT?

 

[AlexIT]

I need to understand the network a touch more. Five PC's:

90.1.2.1
90.1.2.2
90.1.2.3
90.1.2.4
90.1.2.5

plus some private PC's:
192.168.2.1
192.168.2.2
192.168.2.3
192.168.2.4
192.168.2.5

There is a modem device which does routing and a hub (or switch)

modem/router---hub---pc(all connected to hub)

Is this correct?

What is the modem device?

Alex

 

[bigdavelamb]

Hi, All the PC's are as you have stated but they are all connected to a single device that does it all modem/hub/router, it's a SMC 7404BRA.

 

[AlexIT]

This product will allow many-to-many NAT. In the Advanced setup you can configure address mapping for 90.1.2.1 to a range of internal IP (192.168.2.1-192.168.2.2.) 90.1.2.2 = (192.168.2.3-192.168.2.4) etc.

I have no idea how its configured at this time, but one possible solution for you is to address map the ten computers to the five public addresses. Then in the virtual server section port map the PCAnywhere to those addresses.

It will look like this:

Address Mapping
90.1.2.1 = (192.168.2.1-192.168.2.2)
90.1.2.2 = (192.168.2.3-192.168.2.4)
90.1.2.3 = (192.168.2.5-192.168.2.6)
90.1.2.4 = (192.168.2.7-192.168.2.8)
90.1.2.5 = (192.168.2.9-192.168.2.10)

Virtual Server
'(This gives access to PC1)
90.1.2.1:5631=192.168.2.1:5631
90.1.2.1:5632=192.168.2.1:5632
'(You must change your PCAnywhere ports to connect to PC2)
90.1.2.1:5301=192.168.2.2:5631
90.1.2.1:5302=192.168.2.2:5632
'(This gives access to PC2)
90.1.2.2:5631=192.168.2.3:5631
90.1.2.2:5632=192.168.2.3:5632
'(You must change your PCAnywhere ports to connect to PC4)
90.1.2.2:5301=192.168.2.4:5631
90.1.2.2:5302=192.168.2.4:5632
etc.

Your Virtual server will BYPASS any firewalling on these ports! So those PCAnywhere connections will be publically accessible. I would not recommend this unless you are seriously budget challenged...

Best option is to add VPN host router inside the 7404, disable the 7404 except as a modem, and VPN connect. This lets you access each PC with PCAnywhere without all the chaninging ports hassle. But this costs...

Alex