|
Home > Archive > CCNA > December 2002 > A simple question...yet I don't know the answer
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
A simple question...yet I don't know the answer
|
|
| nickperjak 2002-11-29, 8:03 am |
| How can a user access a host inside a private network, through a NAT enabled router? Say for instance...you have a computer within your private network with an IP of 192.168.100.10, and say for example that your public assigned IP from an ISP within your router is 24.100.10.1. How would a user from outside your private network (a distant internet user) gain access to that 192.168.100.10 host? This is a simple question I think. I've been studying networking for quite awhile now, but mostly INTERnetworking..and my brain is fried. Someone asked me that question and I felt like a total fool for not giving him a solution...maybe I'm not just feeeeeling like a fool. Anyways, any help would be appreciated. | |
| mindmesh 2002-11-29, 10:13 am |
| If you are trying to access a PC from, say, your home to your office you would probably get a program like PC Anywhere. This will allow you to connect thru the router provided the proper ports are mapped.. 5631 tcp and 5632 udp and you have the proper software on both machines..
If you want to connect to your internal Network then you will probably need to setup a VPN. | |
| nickperjak 2002-11-29, 11:48 am |
| Actually, the real scenario is this: the private network consists of four PCs, a server, and a video survelliance camera. The camera is what needs to be accessed through the internet, via the company's website (by the way this is my uncles company and he just asked me what I thought, this is not the company I work for). So in order for him to sell these cameras, he needs to have the customers demo the cameras. They have 10/100 NIC with assigned IPs, how would one access this camera through the internet, via the website. Is it more of a software problem, dealing with routing using certain TCP or UDP ports? Any help would be appreciated. | |
| mindmesh 2002-11-29, 12:13 pm |
| I would suggest contacting the Software Manufacturer and find out what they think. Not much anyone could really tell you without knowing the software. Maybe if you enable a connection to the PC running the viewing software on it. Just a guess.. | |
| edmonds_robert 2002-11-29, 4:20 pm |
| nickperjack,
Here's how it works, in a nutshell. Say your public network has the IP address of 24.100.10.1 like you said in your original post. Let's say for the sake of argument it's a /24 network, giving you 254 addresses to play with. On your firewall, or other device performing NAT, you would create a static translation. For example, you would translate 24.100.10.2 to your private IP address of 192.168.100.10 and vice versa.
Now, when that user across the Internet wants to connect to your server (we'll say it's a web server for this scenario) at 192.168.100.10, they would actually point their web browser to 24.100.10.2. The firewall would intercept the request, regenenrate it on the internal network and send it to the web server at 192.168.100.10. When the web server gets the request, the source address it sees is that of the firewall. So, when it responds, it sends the packet to the firewall thinking it made the original request. The firewall then in turn regenerates the response on the external interface and sends it back to the original requesting computer, again replacing the actual address of the web server with its own IP address.
So in effect, the client on the Internet thinks the web server is at the address 24.100.10.2, but it's actually your firewall. The web server also thinks that the firewall is the requester. This hides the network layout from both the internal and external users. | |
| dbowen 2002-11-30, 8:29 pm |
| a) One comment regarding the posted suggestion to statically map a public IP to the private IP: a firewall doesn't modify IP addresses. So, in that scenario, the webserver's reply packet will be sent to the (previously source) IP address of the Internet requester (now destination). The webserver's reply packet will be directed to the firewall (via a default gateway, for Internet directed traffic, of its own or defined on an internal router). The basic function of a firewall is to allow internally originating traffic out and prevent externally originating traffic in.
b) Allowing (untrusted) Internet traffic to reach a private, internal, network is not generally acceptable (without heavy restrictions, authentication, security measures to verify the identity and location of the incoming Internet user). Basically, allowing just anybody on the Internet into your private network isn't good form. Either place services that should be publicly accessible in your DMZ (a publicly accessible area of your network outside your internal firewall or NAT enabled router) or establish a stringent protocol for identifying incoming users. Here's an analogy I like to use: anyone can come up on your front porch (that's public), but you don't let just anyone into your house (that's private).
I suppose the bottom line question is: How is your network infrastructure designed? It sounds like you might have a high-speed Internet connection that goes through a NAT-enabled router. This is how many small businesses/home users operate. Unfortunately, regarding network choices, most people operating like this don't have an internal and external router and two firewalls so options are limited: inside the router is safer than outside the router (but you generally don't want the public inside your router).
Remember, anything that gets set outside is subject to hacking, crashing, theft, etc. so make sure to have backup configs if you "set something on your front porch" and button it down as much as possible.
Tough choice. Good luck. | |
|
| just to add a note regarding security principle posted by dbowen.
it is easy to implement the layered approach... even for SOHO...
those residential gateway/soho gateway cheapo thing is really cheap now... I think you can get netgear 314 etc for like 50-100 bucks... put 2 together and you get a proper perimeter and firewall with dmz and all that...  put 2 of different brand and you put another complexity to cracking them...
now... for companies that will actually utilize those, your traffic/data would not be that interesting so no one will exert too much effort in probing your security so this will slide easily (cross fingers ). | |
| edmonds_robert 2002-12-01, 4:20 pm |
| Actually, my web server is behind a NAT enabled router on the outside of my firewall with access lists and OS security features providing the security required. I just used the example of the web server because it was easy. Maybe a better real world example would have been a mail server, which would routinely be on an internal network with port 25 open on the firewall. | |
| nickperjak 2002-12-01, 6:26 pm |
| That'll do. Thanks a lot for the information. I know just a little about network security. I guess the best and simplest approach would be to have the demo camera placed outside the internal network. |
|
|
|
|