It had an option when publishing ports to the outside world of "Requests appear to come from the ISA Server computer" or "Requests appear to come from the Forefront TMG computer".
This was handy for instance if you were publishing ports to the internet on WAN servers/local servers which didn't have that particular ISA or TMG box as it's default gateway.
This can be particularly handy if you wanted to load balance traffic across two links or simply as a backup way of getting into your network remotely if your primary link fails.
It basically modified the source address of any incoming connections so that it appears to the internal client as coming from the routers internal side IP.
This guide below shows exactly how to achieve this with a Cisco router running IOS 12.4.
In a typical scenario, you might have a router configured with ADSL and a Dialer interface with "ip nat outside" and a "Fa0/0" or "G0/0" LAN interface with "ip nat inside"
It may look like the following:
interface Dialer0
description ISP ADSL2+ Interface
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname username@isp.com
ppp chap password 7 06675F141A1F064F25
!
interface FastEthernet0/0
description LAN Interface
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
ip nat inside source list 1 interface Dialer0 overload
!
ip nat inside source static tcp 192.168.0.15 25 interface Dialer0 25
!
ip route 0.0.0.0 0.0.0.0 Dialer0
The problem with the above configuration is that the NAT only travels one way. What we want to achieve is a bi-directional NAT.
We need to remove the "ip nat inside" and "ip nat outside" lines from both the Dialer0 and FastEthernet0/0 interfaces and replace with "ip nat enable". This means now that we can configure NAT to work both inbound and outbound.
For the below example, we assume that my ISP has assigned me a static IP of 200.200.200.200.
The server I want to publish is a Web Server on IP 192.168.0.55
Assuming that your current configuration is like the above, we would type the following:
interface FastEthernet0/0
no ip nat inside
ip nat enable
!
interface Dialer0
no ip nat outside
ip nat enable
!
no ip nat inside source list 1 interface Dialer0 overload
!
no access-list 1 permit 192.168.0.0 0.0.0.255
!
ip access-list extended NAT_OUT
permit ip 192.168.0.0 0.0.0.255 any
!
ip access-list extended NAT_IN
permit ip any host 200.200.200.200
!
ip nat source list NAT_IN interface FastEthernet0/0 overload
ip nat source list NAT_OUT interface Dialer0 overload
!
ip nat source static tcp 192.168.0.55 80 interface Dialer0 80
And that's it! Now when connections are made to the public IP, they are translated internally to the web server but the source address appears as 192.168.0.1 - the IP address bound the the Fa0/0 interface.
No comments:
Post a Comment