Is NATting possible on 2 seperate private ip’s?

Home Forums Networking Cisco Routers & Switches How-to Is NATting possible on 2 seperate private ip’s?

This topic contains 10 replies, has 5 voices, and was last updated by Avatar bdesmond-mvp 12 years, 12 months ago.

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • Avatar
    kvouzoplis
    Member
    #118789

    Hello.straight to the chase.
    I have just setup a brand new network. I have 2 windows server 2003 r2 DC’s (one primary, one secondary). Their external IP’s are 192.168.1.2/24 and 192.168.1.3/24, which connect to the router for default gateway. Again on the same DCs, i have also installed more nics to support the internal network. Their IP’s are 192.168.2.1/24 and 192.168.2.2/24.

    I also have a new exchange server 2003 sp1 on the network, with an IP of 192.168.2.3, which use the primary or secondary domain controller for access to the internet.

    My problem lies in the router. I have a cisco 2811. with the following command i translated the smtp requests for my network:
    “ip nat inside source static tcp 192.168.1.2 25 xxx.xxx.xxx.xxx 25 extendable”
    (xxx.xxx =public ip)
    when i enter the cmd a second time with the ip of the 2nd DC, the router replies similar entry already exists……
    what can i do that will give me the nat translations that i need.
    My router is the 2811 with 2 ethernet ports and 1 adsl interface.
    i tried compiling an access list, to bind with a nat pool name, but that didnt work either?
    Please ?
    Thank in advance
    KV

    Avatar
    theterranaut
    Member
    #285856

    Re: Is NATting possible on 2 seperate private ip’s?

    Hiya,

    I think your problem is that you are trying to forward the same port to 2 internal devices on the same external IP address. The router, quite correctly, is telling you you cant do that- because you cant! If you had more external IPs you could set up a couple of them on the outside and forward them in, ie

    xxx.xxx.xxx.xxx->192.168.1.2 on tcp 25

    yyy.yyy.yyy.yyy->192.168.1.3 on tcp 25

    I’m a wee bit puzzled as to what you are actually trying to achieve here. Are you using the ‘internal’ NIC’s as pseudo firewalls? Why does the Exchange Server need to be able to use 2 separate DC’s as gateways?

    To simplify things, why not just set everything up on one flat internal network? That way, you can just forward port 25 tcp into the Exchange Server, which is sort of what it expects? Is there really a need for this complexity?

    regards

    theterranaut

    Avatar
    kvouzoplis
    Member
    #290890

    Re: Is NATting possible on 2 seperate private ip’s?

    Thanks.

    I have my exchange hooked up with 2 default gatways (2 DC) for redundancy purposes. The bigger picture is to create a front-end back-end solution in the near future.

    If one DC fails, the other one picks up in its place.
    I had thought of putting everything on the same level, like you said, but i wanted to try it out like this first.

    It seems bizarre that i cant create a ‘backup’ nat translation…

    Thanks,

    KV

    Avatar
    theterranaut
    Member
    #285858

    Re: Is NATting possible on 2 seperate private ip’s?

    I see what you mean.
    I think in this case you should consider ‘clustering’ the machines which you want to appear as gateways. That way, you can present a ‘virtual ip’ to the world.

    I may be wrong, but I suspect a DC cant be an Exchange front end server for some reason (Bill G needs more money, most probably :)

    I take your point re ‘backup’ nat. I certainly dont know of a way, but maybe others do?

    regards

    theterranaut

    Avatar
    usits
    Member
    #290676

    Re: Is NATting possible on 2 seperate private ip’s?

    kvouzoplis;48723 wrote:
    Hello.straight to the chase.
    I have just setup a brand new network. I have 2 windows server 2003 r2 DC’s (one primary, one secondary). Their external IP’s are 192.168.1.2/24 and 192.168.1.3/24, which connect to the router for default gateway. Again on the same DCs, i have also installed more nics to support the internal network. Their IP’s are 192.168.2.1/24 and 192.168.2.2/24.

    I also have a new exchange server 2003 sp1 on the network, with an IP of 192.168.2.3, which use the primary or secondary domain controller for access to the internet.

    My problem lies in the router. I have a cisco 2811. with the following command i translated the smtp requests for my network:
    “ip nat inside source static tcp 192.168.1.2 25 xxx.xxx.xxx.xxx 25 extendable”
    (xxx.xxx =public ip)
    when i enter the cmd a second time with the ip of the 2nd DC, the router replies similar entry already exists……
    what can i do that will give me the nat translations that i need.
    My router is the 2811 with 2 ethernet ports and 1 adsl interface.
    i tried compiling an access list, to bind with a nat pool name, but that didnt work either?
    Please ?
    Thank in advance
    KV

    Ok I’m a bit confused too, you said that 192.168.1.xxx are external IP’s but technically they are not, they are private IP’s. I’m assuming you have T1 or some other kind of dedicated line. In that case the IP that is provided to you by your ISP is your Public or External IP. Now if you really want to load balance every thing you can use Clustering or get a router with two WAN interfaces, hook up two high speed circuits to it and route traffic between them (create a VPN). If your router does not have the ability to do that, then you can get use two different routers to accomplish this. Now you have what you want to do.
    You can forward the same port to those two servers from 2 different routers and there is a VPN that exists between them and traffic is being routed so you are good to go. If one WAN interface goes down or one server goes down you have the other one up and running. Hope this helps.
    cheers

    Avatar
    theterranaut
    Member
    #285859

    Re: Is NATting possible on 2 seperate private ip’s?

    usits;48940 wrote:
    Ok I’m a bit confused too, you said that 192.168.1.xxx are external IP’s but technically they are not, they are private IP’s. I’m assuming you have T1 or some other kind of dedicated line. In that case the IP that is provided to you by your ISP is your Public or External IP. Now if you really want to load balance every thing you can use Clustering or get a router with two WAN interfaces, hook up two high speed circuits to it and route traffic between them (create a VPN). If your router does not have the ability to do that, then you can get use two different routers to accomplish this. Now you have what you want to do.
    You can forward the same port to those two servers from 2 different routers and there is a VPN that exists between them and traffic is being routed so you are good to go. If one WAN interface goes down or one server goes down you have the other one up and running. Hope this helps.
    cheers

    I think he means that the RFC1918 addresses are on HIS external network. Semantics.

    A question: I’m not sure why he needs a VPN. A VPN is an encrypted ‘tunnel’ across a network- how exactly will that help in this scenario?
    And how can inbound email, sent from anywhere in the world to this man’s server (the whole point of this man’s endeavours) be load balanced, exactly?
    Maybe a diagram of your suggestion would help?

    regards

    theterranaut

    Avatar
    usits
    Member
    #290680

    Re: Is NATting possible on 2 seperate private ip’s?

    Since in that scenario, he will be using two gateways and two different high speed circuits, two different WAN IP’s. So VPN will be so that both networks can pass traffic through. We have a setup like that and works great. We can bring our DC’s and Exchange servers down at one location for maintenance and no one has issues with the network.

    Avatar
    theterranaut
    Member
    #285861

    Re: Is NATting possible on 2 seperate private ip’s?

    I think you maybe have misread the OP, usits.

    kvouzoplis isnt using two WAN gateways. He (?) has two internal servers with 2 NIC’s each: each server has a NIC on HIS external network (private) and on his internal network (also private).

    Quote from the OP:

    “I have just setup a brand new network. I have 2 windows server 2003 r2 DC’s (one primary, one secondary). Their external IP’s are 192.168.1.2/24 and 192.168.1.3/24, which connect to the router for default gateway. Again on the same DCs, i have also installed more nics to support the internal network. Their IP’s are 192.168.2.1/24 and 192.168.2.2/24.”

    So, with only one router, you can only forward an individual port from an individual external IP address.
    The only workable solution I can think of is some Windows clustering, to present a virtual ip to the outside world.
    The router will then forward tcp 25 to this IP address: no matter what happens internally- if a DC fails, etc, as long
    as the same virtual ip is presented to the router then smtp should get through.

    Thats why I wondered about your VPN scenario: I think I see where you are coming from now. Actually, that sounds quite interesting: you should really draw a diagram to illustrate, it sounds like a clever solution to your problem, and I think we could all learn from it.

    regards
    theterranaut

    Avatar
    usits
    Member
    #290681

    Re: Is NATting possible on 2 seperate private ip’s?

    Oh I know he has only one router but that is why I suggested two different routers because his main concern is fault tolerance. BTW thanks theterranaut I will draw it up and post the link back here.

    Avatar
    ssckrp
    Member
    #285692

    Re: Is NATting possible on 2 seperate private ip’s?

    hi

    i think the follow should work in your case

    You want to have One single Public IP to be traslated to your DCs ( 1.2 & 1.3)

    create an access list

    access-list 1 permit 192.168.1.2 255.255.255.255
    access-list 1 permit 192.168.1.3 255.255.255.255

    now place this with ur NAT

    ip nat source list 1 x.x.x.x x.x.x.x ( pls refe to the full command with IOS )

    Go to ur ethernet and serial to place the IP nat inside and outside

    Now with another accesslist you allow only the SMTP / POP3 traffic as required.

    Hope this will solve the issue…

    If you guys find this is may be a wrong one.. pls advise..

    REgards

    Prabu

    Avatar
    bdesmond-mvp
    Member
    #291242

    Re: Is NATting possible on 2 seperate private ip’s?

    This setup is really goofy and makes no sense to me.

    As others have said you cannot NAT one external IP & port to multiple internal hosts. Get additional public IPs from your ISP if this is your goal.

    Yes you can run Exchange frontends on DCs if you want, though.

    My suggestion is that you collapse this wierd network you’ve built into a simple flat single subnet. If you want multiple public MX’es, you’re going to need an additional IP from your ISP to make it happen.

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.