Setting up NAT

[leeosborne]

Help please.

I am an Oracle DBA who has been dumped with network admin as our guy left after letting our network get virused badly. My boss has asked me to look into NAT. My aim is to have one external machine with everything else internal. I have 4 machines that are web servers and need to be available to the outside world. Can NAT do this? Can i have an internal machine serving a website that can be seen from outside using NAT? How does this work?

any pointers greatly appreciated

Lee

 

[ssphoenix]

Network Area Translation is used to mask internal IP addresses. As an example, you could place all your internal addresses under 192.168.1.x. The deviced that does the Nating (your firewall) will translate that address or any addresses from your inernal network to one (usually purchased through your isp) public.

As long as you have the correct device NATins is possible (usually any router/firewall will do).

Because of Nating, internal devices are hard to get to since you basically setup phony addresses (in a lame term).
However, again is possible depending on what application you use to get to your web server.

As for your web server, two nic cards will do the trick. (one will have a public IP so everyone from the outside get get to, the other one with an internal one so everone in your office can get to) however, you are mixing a few things here.

 

[manarth]

Although installing 2 NICs in the server will work, it's overcomplicated, and exposes the servers to the outside world.

You want:[tt]
simple: internet--modem--NAT router--switch--PCs
paranoid: internet--modem--firewall--router--switch -- PCs[/tt]

When a PC inside the LAN requests something (e.g. a webpage) it actually appears to have been asked for by the NAT device. When the data is received, the NAT remembers who asked for it, and forwards it on.

The tricky part is if someone from the outside tries to connect in - e.g. to a webserver. The NAT sees this incoming data - but no client has asked for it!
The answer is port forwarding (also known as virtual server). Rather than making the entire server visible to the outside, you choose which ports are needed on that server.
http=80, ftp=21, ssh=22, smtp=25, pop3=110, imap=143

It's even more complicated in this case because you have 4 webservers. This means that an inbound connection on port80 can't just be forwarded to one place - you need another thing to examine.

With 4 webservers under NAT, you can either:
- use 4 different ports (e.g. 80, 81, 82, 83) this requires more knowledge & IT literacy on the part of your users
- have 4 public IPs on the NAT device, and forward appropriately you need a good (i.e. more expensive!) NAT device
- operate virtual servers forwarding by URL this could either be through a decent NAT device, or a second internal device running virtual server redirection (Octagate is an example)

Short answer: Yes, NAT can do what you want!

<marc> i wonder what will happen if i press this...[ul][li]please tell us if our suggestion has helped[/li][li]need some help? faq581-3339[/li][/ul]

 

[bcastner]

If at least one of your machines is Win2k Advanced Server, you can use the Windows Network Load Balancing features to NAT by port your four web servers, and NAT by port the remainder of your local LAN.

As manarth suggested above, NAT is generally what a router can do. Depending on the sophistication of the router, you can create a virutal lan pool with the same port for your four servers, and segregate the LAN behind NAT IPs.

This sort of application is beyound the scope of regular retail broadband routers. Look at the new offerings by Extreme, Cisco and possibly Xyxel.

It would be worth considering at the front end using a hardware firewall device. There are several manufacturers. The four web servers would require something slightly fancy behind them: either use the Win2k server RRAS and WNLB features of the OS for load balancing by port for a cluster; or look at my earlier recommendations for high-end routers that offer VLAN features that match your needs.

 

[manarth]

lol - just read the dates on the thread.

the poor guy waited nearly a year for his answer!

<marc> i wonder what will happen if i press this...[ul][li]please tell us if our suggestion has helped[/li][li]need some help? faq581-3339[/li][/ul]