question about nat

I have a router configured to translate an external public ip address to a private address of an internal Ftp server.

From what I have seen, when a packet arrives inside the Lan, the

destination IP address is that of the ftp server (its private address of course), but the source address is still the real public IP address of the sender.

This is causing me some problems because this server has another default gateway (another router) and ftp requests don't get a response.

Is it possible somehow to have the router to translate not only the destination address but also the source address? If the server saw the packet coming from the router and not from a public Internet IP address, I think it would be able to respond back correctly to ftp requests through the same router.

Is it possible? or is there a better way to do this?


Reply to
Loading thread data ...

Yes, that is a quite common configuration.

If the NAT'ing router is accepting traffic from the internet as a whole then your other router is not configured properly if that other router is not able to return the traffic to the internet. (If that other router is also acting as a firewall and is refusing the packets because it does not have any active "flow" for that traffic, then you have a network design conflict.)

If the NAT'ing router is accepting traffic only from a limited IP range, then your server should be configured to have a more specific route for that IP range that points back to the NAT'ing router. This would include the case where the NAT'ing router is acting as a VPN server: the valid VPN address ranges should be routed back to the NAT'ing router.

Return routing can be a problem when you are transfering different data from the same source along different paths, such as if you are prioritizing ftp along a dedicated link but wish other traffic to go through the other route. In a situation such as that, normally the default gateway would be set to the faster (or more flexible) device, which would use "policy based routing" (PBR) to select which traffic went which way.

Translating source addresses as well is possible, at least with some versions of IOS for some devices. (I don't have any idea at the moment of how common the facility is in modern IOS versions.) Translating the source is a technique I have used with a Cisco PIX firewall (in a situation where policy based routing was not feasible.) I am quite rusty on NAT for IOS; I believe there is an "ip nat source" as well as an "ip nat destination".

Reply to
Walter Roberson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.