Announcement

Collapse
No announcement yet.

Is NATting possible on 2 seperate private ip's?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Is NATting possible on 2 seperate private ip's?

    Hello.straight to the chase.
    I have just setup a brand new network. I have 2 windows server 2003 r2 DC's (one primary, one secondary). Their external IP's are 192.168.1.2/24 and 192.168.1.3/24, which connect to the router for default gateway. Again on the same DCs, i have also installed more nics to support the internal network. Their IP's are 192.168.2.1/24 and 192.168.2.2/24.

    I also have a new exchange server 2003 sp1 on the network, with an IP of 192.168.2.3, which use the primary or secondary domain controller for access to the internet.

    My problem lies in the router. I have a cisco 2811. with the following command i translated the smtp requests for my network:
    "ip nat inside source static tcp 192.168.1.2 25 xxx.xxx.xxx.xxx 25 extendable"
    (xxx.xxx =public ip)
    when i enter the cmd a second time with the ip of the 2nd DC, the router replies similar entry already exists......
    what can i do that will give me the nat translations that i need.
    My router is the 2811 with 2 ethernet ports and 1 adsl interface.
    i tried compiling an access list, to bind with a nat pool name, but that didnt work either?
    Please ?
    Thank in advance
    KV

  • #2
    Re: Is NATting possible on 2 seperate private ip's?

    Hiya,

    I think your problem is that you are trying to forward the same port to 2 internal devices on the same external IP address. The router, quite correctly, is telling you you cant do that- because you cant! If you had more external IPs you could set up a couple of them on the outside and forward them in, ie

    xxx.xxx.xxx.xxx->192.168.1.2 on tcp 25

    yyy.yyy.yyy.yyy->192.168.1.3 on tcp 25

    I'm a wee bit puzzled as to what you are actually trying to achieve here. Are you using the 'internal' NIC's as pseudo firewalls? Why does the Exchange Server need to be able to use 2 separate DC's as gateways?

    To simplify things, why not just set everything up on one flat internal network? That way, you can just forward port 25 tcp into the Exchange Server, which is sort of what it expects? Is there really a need for this complexity?

    regards

    theterranaut

    Comment


    • #3
      Re: Is NATting possible on 2 seperate private ip's?

      Thanks.

      I have my exchange hooked up with 2 default gatways (2 DC) for redundancy purposes. The bigger picture is to create a front-end back-end solution in the near future.

      If one DC fails, the other one picks up in its place.
      I had thought of putting everything on the same level, like you said, but i wanted to try it out like this first.

      It seems bizarre that i cant create a 'backup' nat translation...

      Thanks,

      KV

      Comment


      • #4
        Re: Is NATting possible on 2 seperate private ip's?

        I see what you mean.
        I think in this case you should consider 'clustering' the machines which you want to appear as gateways. That way, you can present a 'virtual ip' to the world.

        I may be wrong, but I suspect a DC cant be an Exchange front end server for some reason (Bill G needs more money, most probably

        I take your point re 'backup' nat. I certainly dont know of a way, but maybe others do?

        regards

        theterranaut

        Comment


        • #5
          Re: Is NATting possible on 2 seperate private ip's?

          Originally posted by kvouzoplis View Post
          Hello.straight to the chase.
          I have just setup a brand new network. I have 2 windows server 2003 r2 DC's (one primary, one secondary). Their external IP's are 192.168.1.2/24 and 192.168.1.3/24, which connect to the router for default gateway. Again on the same DCs, i have also installed more nics to support the internal network. Their IP's are 192.168.2.1/24 and 192.168.2.2/24.

          I also have a new exchange server 2003 sp1 on the network, with an IP of 192.168.2.3, which use the primary or secondary domain controller for access to the internet.

          My problem lies in the router. I have a cisco 2811. with the following command i translated the smtp requests for my network:
          "ip nat inside source static tcp 192.168.1.2 25 xxx.xxx.xxx.xxx 25 extendable"
          (xxx.xxx =public ip)
          when i enter the cmd a second time with the ip of the 2nd DC, the router replies similar entry already exists......
          what can i do that will give me the nat translations that i need.
          My router is the 2811 with 2 ethernet ports and 1 adsl interface.
          i tried compiling an access list, to bind with a nat pool name, but that didnt work either?
          Please ?
          Thank in advance
          KV
          Ok I'm a bit confused too, you said that 192.168.1.xxx are external IP's but technically they are not, they are private IP's. I'm assuming you have T1 or some other kind of dedicated line. In that case the IP that is provided to you by your ISP is your Public or External IP. Now if you really want to load balance every thing you can use Clustering or get a router with two WAN interfaces, hook up two high speed circuits to it and route traffic between them (create a VPN). If your router does not have the ability to do that, then you can get use two different routers to accomplish this. Now you have what you want to do.
          You can forward the same port to those two servers from 2 different routers and there is a VPN that exists between them and traffic is being routed so you are good to go. If one WAN interface goes down or one server goes down you have the other one up and running. Hope this helps.
          cheers

          Comment


          • #6
            Re: Is NATting possible on 2 seperate private ip's?

            Originally posted by usits View Post
            Ok I'm a bit confused too, you said that 192.168.1.xxx are external IP's but technically they are not, they are private IP's. I'm assuming you have T1 or some other kind of dedicated line. In that case the IP that is provided to you by your ISP is your Public or External IP. Now if you really want to load balance every thing you can use Clustering or get a router with two WAN interfaces, hook up two high speed circuits to it and route traffic between them (create a VPN). If your router does not have the ability to do that, then you can get use two different routers to accomplish this. Now you have what you want to do.
            You can forward the same port to those two servers from 2 different routers and there is a VPN that exists between them and traffic is being routed so you are good to go. If one WAN interface goes down or one server goes down you have the other one up and running. Hope this helps.
            cheers
            I think he means that the RFC1918 addresses are on HIS external network. Semantics.

            A question: I'm not sure why he needs a VPN. A VPN is an encrypted 'tunnel' across a network- how exactly will that help in this scenario?
            And how can inbound email, sent from anywhere in the world to this man's server (the whole point of this man's endeavours) be load balanced, exactly?
            Maybe a diagram of your suggestion would help?

            regards

            theterranaut
            Last edited by theterranaut; 12th December 2006, 21:34.

            Comment


            • #7
              Re: Is NATting possible on 2 seperate private ip's?

              Since in that scenario, he will be using two gateways and two different high speed circuits, two different WAN IP's. So VPN will be so that both networks can pass traffic through. We have a setup like that and works great. We can bring our DC's and Exchange servers down at one location for maintenance and no one has issues with the network.

              Comment


              • #8
                Re: Is NATting possible on 2 seperate private ip's?

                I think you maybe have misread the OP, usits.

                kvouzoplis isnt using two WAN gateways. He (?) has two internal servers with 2 NIC's each: each server has a NIC on HIS external network (private) and on his internal network (also private).

                Quote from the OP:

                "I have just setup a brand new network. I have 2 windows server 2003 r2 DC's (one primary, one secondary). Their external IP's are 192.168.1.2/24 and 192.168.1.3/24, which connect to the router for default gateway. Again on the same DCs, i have also installed more nics to support the internal network. Their IP's are 192.168.2.1/24 and 192.168.2.2/24."

                So, with only one router, you can only forward an individual port from an individual external IP address.
                The only workable solution I can think of is some Windows clustering, to present a virtual ip to the outside world.
                The router will then forward tcp 25 to this IP address: no matter what happens internally- if a DC fails, etc, as long
                as the same virtual ip is presented to the router then smtp should get through.

                Thats why I wondered about your VPN scenario: I think I see where you are coming from now. Actually, that sounds quite interesting: you should really draw a diagram to illustrate, it sounds like a clever solution to your problem, and I think we could all learn from it.

                regards
                theterranaut
                Last edited by theterranaut; 13th December 2006, 08:01.

                Comment


                • #9
                  Re: Is NATting possible on 2 seperate private ip's?

                  Oh I know he has only one router but that is why I suggested two different routers because his main concern is fault tolerance. BTW thanks theterranaut I will draw it up and post the link back here.

                  Comment


                  • #10
                    Re: Is NATting possible on 2 seperate private ip's?

                    hi

                    i think the follow should work in your case

                    You want to have One single Public IP to be traslated to your DCs ( 1.2 & 1.3)

                    create an access list


                    access-list 1 permit 192.168.1.2 255.255.255.255
                    access-list 1 permit 192.168.1.3 255.255.255.255

                    now place this with ur NAT

                    ip nat source list 1 x.x.x.x x.x.x.x ( pls refe to the full command with IOS )

                    Go to ur ethernet and serial to place the IP nat inside and outside

                    Now with another accesslist you allow only the SMTP / POP3 traffic as required.

                    Hope this will solve the issue...

                    If you guys find this is may be a wrong one.. pls advise..

                    REgards

                    Prabu
                    prabu

                    Comment


                    • #11
                      Re: Is NATting possible on 2 seperate private ip's?

                      This setup is really goofy and makes no sense to me.

                      As others have said you cannot NAT one external IP & port to multiple internal hosts. Get additional public IPs from your ISP if this is your goal.

                      Yes you can run Exchange frontends on DCs if you want, though.

                      My suggestion is that you collapse this wierd network you've built into a simple flat single subnet. If you want multiple public MX'es, you're going to need an additional IP from your ISP to make it happen.
                      Thanks,
                      Brian Desmond
                      Microsoft MVP - Directory Services
                      www.briandesmond.com

                      Comment

                      Working...
                      X