Can you NAT to a server through a firewall that is not the default gateway?

JBod

JBod

JBod

Soldato
Joined
1 Sep 2007
Posts
5,315
Location
Santa Monica, California
I have several servers that are NATed through a crappy old PIX on a 100mb internet connection. I am moving the default gateway to a new Juniper for Gig connectivity. Both connections and firewalls will continue to co-exist.

Will the original NAT continue working through the PIX or will the server return path choose the default route and go back to the Juniper thus breaking?
 
The answer is - sort of.

Packets will come in in-bound from the pix then the server will reply outbound from the Juniper, now, sometimes this may work but the behaviour is undefined - i've seen this where pinging one ip ends up getting replies from another one!

There are tricks you can do - including nasty bi directional NAT where you NAT all the inbound packets to appear to come from the firewall - so your servers reply to the local address of the firewall, which the untangles the NAT and replies onto the web - that's not pretty.

If TRX is about he knows quite a lot about this sort of thing...

So bottom line is...no it won't work, not to any satisfactory level anyway.
 
dave-lew99 said:
The answer is - sort of.

Packets will come in in-bound from the pix then the server will reply outbound from the Juniper, now, sometimes this may work but the behaviour is undefined - i've seen this where pinging one ip ends up getting replies from another one!

There are tricks you can do - including nasty bi directional NAT where you NAT all the inbound packets to appear to come from the firewall - so your servers reply to the local address of the firewall, which the untangles the NAT and replies onto the web - that's not pretty.

If TRX is about he knows quite a lot about this sort of thing...

So bottom line is...no it won't work, not to any satisfactory level anyway.
Click to expand...

Yea I have come to this conclusion as well. Looking at the current PIX configuration (which I inherited) it appears that we may only be doing NAT for very specific source blocks, in which case on the few servers concerned I can do static routes back to the PIX.
 
Source NAT is the Juniper term for what you want to do. It's functional but if you're running a web server or similar then it'll make your logs useless. I'm off the opinion that all NAT is horrific and should die as soon as humanly possible but source NAT is particularly bad design.

However I consider it better than putting static routes on servers, which is just wrong in every way going and WILL break your network if you scale beyond a certain point.
 
When I was migrating between our connections at work, I forwarded all traffic from the new gateway to the old gateway initially while I changed over the gateway settings for all the internal PCs and servers. You don't get to use the new connection from the internal PCs/Servers, but you can start to migrate the public side services to the new connection if you use both source & dest NAT for inbound connections (so the internal server you forward to thinks traffic is coming from the new gateway itself.

akakjs
 
Just adding my 10p, as bigredshark and others have now said, without horrific log-ruining internal Source NAT or static routes for the known external IP addresses of external service users this isnt really possible.

If I went into the realms of hope and fantasy..

Without knowing too much about the Juniper in question (thats another headache for a future day I need to put myself through) a possability would be policy based routing on the juniper, ie:

If the traffic is outbound + No connection tracking knowledge of this session + a SYN/ACK then route via Pix

This would allow anything that the juniper hadnt 'seen' coming in to route out via the Pix, without requireing source NAT, however I very much doubt any Cisco/Juniper esque firewall can do this kind of policy based routing (IPTables/IPRoute 2 on linux is the only thing I can think that would work with this and clearly that's not something you'd run in production space).

dave-lew99 said:
The answer is - sort of.

Packets will come in in-bound from the pix then the server will reply outbound from the Juniper, now, sometimes this may work but the behaviour is undefined - i've seen this where pinging one ip ends up getting replies from another one!

There are tricks you can do - including nasty bi directional NAT where you NAT all the inbound packets to appear to come from the firewall - so your servers reply to the local address of the firewall, which the untangles the NAT and replies onto the web - that's not pretty.

If TRX is about he knows quite a lot about this sort of thing...

So bottom line is...no it won't work, not to any satisfactory level anyway.
Click to expand...
 
You must log in or register to reply here.
Back
Top Bottom