NVR1100 Port Forwarding

[RevelinoSuriname]

Hi,
I have set up an NVR1100 to do port forwarding to internal servers. (Servers on my LAN)
The public interface has an public IP address that listens on https traffic and forwards it to an internal web server. When the packets arrive at the internal webserver they are processed. In the logfile of the internal webserver I see that the request came from the Private Interface of the NVR1100. So, I assume that the NVR110 Replaced the source IP with it's own Private IP. For security reasons we need the actual IP address that initiated the connection (the internet client's IP address) to be logged on the webserver. I know that the NVR should be possible to provide that information. Is there a specific seeting that needs to be set?

 

[marias0]

You will need to check with the manual for your router. There may be an IP mapping or pinhole feature. I have it set up on my network with IP maps.

Maria Santella
Technical Sales Engineer
ICP DAS USA, Inc.

http://www.icpdas-usa.com

 

[RevelinoSuriname]

Hi Maria,
Thanks for your feedback.
The Nortel NVR1100 is doing a perfect job at forwarding the packets to an internal server. So, IP mapping or pinholing is taking place. The problem is that the original source IP address of the packet is being replaced by the router's private IP address.
I am not sure if that's normal behaviour of port forwarding.
Any other idea?

Here the scenario:
Internet Client IP address: x.x.x.x
Router public IP address: a.a.a.a
Router private IP address: b.b.b.1
Internal Webserver IP address: b.b.b.50

When cleint x.x.x.x send https request to a.a.a.a the router forwards the packet to port 443 on b.b.b.50
In the logfile of the webserver I see source: b.b.b.1 and destination b.b.b.50

What I need to see on the webserver is source x.x.x.x and destination b.b.b.50

Maybe you can make a small drawing to visualize.

 

[burtsbees]

It's called NAT---the edge router needs to translate the public IP's into private and vice-versa, because private IP's are not routeable on the internet. Can you look at logs on the router and see the translations? PAT is NAT with port numbers attached, so I imagine you can see the logs and what translations are taking place. You can also run a syslog server, or packet sniffer/protocol analyzer to see who's connecting when.

Burt

 

[RevelinoSuriname]

Still having problems with this.
What the NVR1100 does is that it replaced the source ip adress (the client on the internet) with the address of the private interface on the NVR1100. I am not able to see in the webserver logs from where the actual request came.

Anyone knows what to configure to get the real source IP address?

 

[burtsbees]

Start a syslog server and configure the router to log the outgoing interface activity. The router is NATting, and that is normal.
The outside source should be seen by the inside interface, but not vice-versa---outside clients cannot see your private IP addresses.
Have you tried a protocol analyzer (Wire Shark) on the webserver interface? It should show public IP addresses. Mine does whenever someone FTP's into my server, and I have static NAT set up in my router (Cisco 2620XM).

Burt

 

[RevelinoSuriname]

Packets on the webserver interface show to have as source the private interface address of the router. That is what I don't want. I want the source address to be the exact internet client address. I know for example in ISA server 2004 that you have the option to let ISA server replace the source address with the private interface address of ISA server or to leave the source address as is. I am not sure if that's also an option on those hardware routers/firewalls. Is there any Nortel NVR1100 expert out there that has a solution for this?

 

[burtsbees]

Packets on the webserver interface show to have as source the private interface address of the router."
What logs are you reading??? I think you are just way over thinking this...

Burt

 

[RevelinoSuriname]

In the picture in the following URL:

http://rachiano.spaces.live.com/photos/cns!A0A22B2234F5F195!262/

You can see the private address of the NVR1100 (10.10.10.133) and the interface address of the webserver (10.10.10.113). The request actually came from a client with a public address. Wireshark runs on the webserver and these are the results.
Shouldn't I see the internet client's address as the source address?

 

[burtsbees]

That may be a static NAT translation then. What can you tell me about how this router is configured? Does it have logging capabilities?

Burt

 

[RevelinoSuriname]

This router has 3 interfaces. 1 connected to a WAN (ISP) 1 connected to a DMZ and 1 connected to the LAN. The webserver is in the DMZ. There is a NAT rule configured that listenes on the WAN iterface for https traffic and forwards that via a port forwarding rule to the webserver in the DMZ. Yes this router has logging capabilities. You can see the translations in the log of the router and there you can also find the real address source (internet client address). The router model is an Nortel NVR1100 and I really have no idea what is causing this problem.
Any specific config you are looking for?

 

[burtsbees]

Not sure---I have a Cisco 2620XM as my edge router, adsl line, and an FTP server on my LAN with a static NAT statement translating the public to private and vice versa for my FTP server. When I run Wireshark, I can see the public IP addresses that try and connect and crack the admin password, and I can block the entire country of China (that's what I did...lol). So, I would guess at this point that perhaps you should go Cisco...

Burt