Don't do NAT on RIP routes

  • Thread starter Thread starter Vlad Doubrov
  • Start date Start date
V

Vlad Doubrov

Hello!

I have an organization unit which has it's own internal network
(192.168.17.x). I need to connect it to the global organization
intranet and internet via the link which they provided me. The routing
protocol used in the network is RIP.

I have setup a Win2k server and RRAS and enabled RIP and NAT on it.
The server has two NICs - one for internal network (192.168.17.1), and
one for the external link (81.90.55.55 - the real internet address).
The other side of the link is a Cisco router.

Everything seems to work just fine. The server receives RIP routes for
the organization's intranet network (192.168.16.0/24, 192.168.15.0/24,
81.90.55.0/24, etc), and everyone in my local segment has an access
both to the internet and those networks.

The problem is that when I access the intranet, the server does NAT on
those packets. Therefore, for everyone in the network they see all my
workstations just like the address of my external NIC - 81.90.55.55.
Also, nobody can access any of the workstations using their real IPs -
like 192.168.17.2, and so on.


So, is there any way to force RRAS don't NAT on the packets heading
out via RIP routes, but only via the default route? I wish I could
setup somewhere a list of destination networks which shouldn't be
NATed. Just like setting up the filters in RRAS.

I know I could do this easily whith Linux, but the server should be
under Win2k only.

Thanks a lot!

-- vlad
 
All traffic using the Internet routers must use a registered public IP
address. So you must use NAT or a proxy server to access the Internet from a
machine on a private LAN.

To link a private LAN to another LAN and allow the clients to use their
private IP addresses, you need to set up a VPN link. With VPN, the
private-addressed packets are encrypted and then encapsulated in a wrapper
with a public IP. This packet is then sent through the Internet. At the
receiving end, the wrapper is removed and the original packet forwarded to
the LAN machine. A VPN using PPTP can operate through a NAT router.
 
Bill Grant said:
All traffic using the Internet routers must use a registered public IP
address. So you must use NAT or a proxy server to access the Internet from a
machine on a private LAN.
Click to expand...

There are no public internet routers inside our organization network.
There's an internet gateway someware in that network. Some segments in
our network have public addresses, others have private ones - both can
see and should see each other quite easily. Of course, it's possible
to access the internet only from hosts which use public addresses.

In our sub-network there are only private addresses, and it's win2k
border router has public one on it's second NIC. We need to access the
internet from any host in this sub-network.
To link a private LAN to another LAN and allow the clients to use their
private IP addresses, you need to set up a VPN link. With VPN, the
private-addressed packets are encrypted and then encapsulated in a wrapper
with a public IP. This packet is then sent through the Internet. At the
receiving end, the wrapper is removed and the original packet forwarded to
the LAN machine. A VPN using PPTP can operate through a NAT router.
Click to expand...

There's no other end for a VPN link in our network. The whole network
is a trusted structure where nothing needs to be encrypted. The only
thing we need to do is to bypass NATing of packets not going to leave
the internal network.

Is it possible in win2k RRAS? Maybe other software could help?

-- vlad
 
You cannot access machines with private addresses behind a NAT router
from a public address. The NAT only does address translation in one
direction - from the private to the public address. That is the way NAT was
designed.

If you want to connect two private LANS by a link across a public
network, you need to set up a VPN (Virtual Private Network). With VPN the
private addressed packets will be carried across the public segment as the
payload of public addressed packets. At the receiving end, the wrapper is
stripped off and the original packet (with its original private IP) put on
the network.

So to use your private IP addresses across the link, you must use VPN.
NAT will still give your LAN clients Internet access, but the traffic for
the remote private network will go via VPN.

If the link that you mention is a VPN, it is simply a matter of routing your
private traffic to the VPN router, and allowing the default traffic to use
NAT. Of course the other site must have similar routing to forward traffic
for your private LAN through the VPN link.
 
Back
Top