Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1904
Views
10
Helpful
3
Replies

How to connect NATed computers from different networks

Go to solution
xkgmp17
Level 1
Level 1

‎12-14-2021 04:55 AM

I have configured 2 networks which can connect to a server, which provides services for HTTP and DNS. So the computers from these networks can connect to a web site (I called it "www.site.com") which is on the same server as the DNS service. Simple enough so far. I have also configured (using the CLI) each router to do DHCP in each of their respective networks. Also, I have configured NAT for each of these 2 networks, so when I send a request to the server from any of my computers the server doesn't receive packets with the IP address of the computer itself as sender, but with the IP address of the router. Also, for this to work, I configured RIP routing for each router, so the routers are connected and can direct packets between each other. So far, so good. This is what I wanted to do and it seems to work, I can connect to the website from any computer. But now I wonder, since I configured NAT for each router, I can no longer connect from the computer of one network to the computer of another network. I have attached a file with my project to explain my problem.

Let's say I am on the computer with IP address 192.168.0.2 from the left network (the network with internal address 192.168.0.0 and whose router has public address 193.226.40.1, in the left side of the project). From this computer, let's say I want to ping the computer 192.168.1.3 from the bottom network (the network with internal address 192.168.1.0 and whose router has public address 193.226.50.1, in the bottom part of the project). But I cannot do this. I cannot just use the command "ping 192.168.1.3" from the computer 192.168.0.2 because the address 192.168.1.3 is not accessible from 192.168.0.2. It's a local address. From any computer, I can only access routers. But if I ping the router, the message will be received by the router (since I configured RIP routing) but it won't know where to send the message (to which computer to send the ping message). So because I configured my networks with NAT, I can no longer communicate with computers from other networks. I am wondering how could I solve this issue? I have read somewhere that I should use port forwarding, but I am not sure about this. So my question is: what is the solution to this? Should I do port forwarding? If no, what else should I do, what is the better solution? If yes, how can I configure port forwarding, how is it done? How can 2 NATed computers from different networks communicate (for example, through a ping)? I have never done this before, so I'm really confused. 

2 - Copy.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP
In response to xkgmp17

‎01-03-2022 02:21 AM

Hello
When you do require access to a specific host residing in a "hidden" network ( a network that’s subjected to Network Address Translation), then you could create a static mapping between the internal hidden host and a public ip address associated to the network which the hidden(natted) host resides behind

 

Example Site A - 
Wan public ip address 1.1.1.1
LAN -  192.168.1.0/24 <hidden subnet)
Host A – 192.168.1.10

To reach Host A let’s say for HTTPs web service from the outside, you could create a static PAT statement on site A wan rtr so any external host can reach then LAN HOST A via its public natted ip address.

Site A rtr
ip nat inside source static 192.168,1.10 443 1.1.1.2 443

Now any external host would establish a connection via 1.1.1.2 443 to the site A wan rtr
At site A wan rtr a translation would occur for 1.1.1.2 443 to 192.168.1.10 443 and traffic would then be routed to that specific internal hidden host and port.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

3 Replies 3

Go to solution
paul driver
VIP
VIP

‎12-28-2021 04:05 PM

Hello
The whole idea about nat is to conserve ipv4 public addressing and hide private non routable rfc 1918 addressing, So if you have two hidden networks behind NAT why then would you want to connect those two networks to each other?

Now it is possible to perform 1to1 nat/pat so each private network can reach specific hosts on either side (servers/file shares,host to host etc,)

You could also dynamic nat a whole subnet to match type on its related public ip address but that isn’t conserving public addressing, however this would be applicable if the transit “public” path was also privately addressed, but then why would you than want to nat?

So the question is do you want both networks to be able to communicate to each other or just specific host to host network/port address translation?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
xkgmp17
Level 1
Level 1
In response to paul driver

‎01-03-2022 01:37 AM

Hello. Thank you for answering. It seems I didn't take into consideration the fact that NAT also acts as a layer of security in such a way that private IPs are not accessible from the outside, I only took into consideration NAT's function of solving the issue of not having enough IP addresses on 4 bytes. Given this extra function of hiding private IPs, yes, it makes sense that I cannot ping any computer from outside a network. So you've cleared that for me. But, I still wonder how can we create a connection between 2 specific hosts (from 2 different networks). Say we want to do that for some reason. Or, perhaps more practical, imagine a situation where one computer (call it computer A) from a network with NAT needs to access a DNS server (or HTTP server, or any server if not a computer) from another network which also has NAT configured. The request of computer A will reach the router of that other network, but the router will not know where to send the request, will not know where the server is. And what is more, I won't even know what IP address to provide to computer A as the IP of that server, since both networks are using NAT so I can't just provide the private IP address of the server within that other network, that will make no sense. So I imagine I have to give computer A the IP of the router of the network which has the server so that the request can reach the network, but beyond that I don't really see what should happen.

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to xkgmp17

‎01-03-2022 02:21 AM

Hello
When you do require access to a specific host residing in a "hidden" network ( a network that’s subjected to Network Address Translation), then you could create a static mapping between the internal hidden host and a public ip address associated to the network which the hidden(natted) host resides behind

 

Example Site A - 
Wan public ip address 1.1.1.1
LAN -  192.168.1.0/24 <hidden subnet)
Host A – 192.168.1.10

To reach Host A let’s say for HTTPs web service from the outside, you could create a static PAT statement on site A wan rtr so any external host can reach then LAN HOST A via its public natted ip address.

Site A rtr
ip nat inside source static 192.168,1.10 443 1.1.1.2 443

Now any external host would establish a connection via 1.1.1.2 443 to the site A wan rtr
At site A wan rtr a translation would occur for 1.1.1.2 443 to 192.168.1.10 443 and traffic would then be routed to that specific internal hidden host and port.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents