Text only | Text with Images

Networking-Forums.com

Professional Discussions => Routing and Switching => Topic started by: ggnfs000 on April 02, 2018, 11:01:51 PM

Title: Can not reach its own public IP from inside the NAT when port fwding
Post by: ggnfs000 on April 02, 2018, 11:01:51 PM
I was able to access just fine by going around public IP to access internal NAT resources at home internet:
i.e. ssh port 22 fwd to 10.0.0.22 at home NAT with cable router public interface 71.202.A.B.

With that I can ssh into 10.0.0.22 from work by ssh-ing into 71.202.A.B. So far so good and simple.
Also, it was nice to know from inside my home NAT, from let's say computer with 10.0.0.23, I can ssh into 10.0.0.22 by ssh-ing into either 10.0.0.22 directly or through 71.202.A.B. That was convenient.

I just rented a small warehouse for small biz and setup another company internet.
Port fwd-ing similar to above setup quickly only to find that I can not access my internal NAT resources same way as above through public IP:
In ahother work, I can access 10.0.0.22 from either 71.202.A.B. from outside the NAT or from inside NAT directly ssh-into 10.0.0.22 not through 71.202.A.B. This caused a whole lot of disruption at home devices.

Many of my home devices were accessing 10.0.0.22 through public IP 71.202.A.B so I dont have to think about whether I am inside or outside the NAT, it will just ssh-into 10.0.0.22 through 71.202.A.B.

Now my new network is not allowing that. Is there anything I needed to look up. THe cable router is not a Cisco router with GUI interface. Thanks!


Title: Re: Can not reach its own public IP from inside the NAT when port fwding
Post by: wintermute000 on April 02, 2018, 11:33:19 PM
Depending on the device, and depending on specific config, it may not perform the public facing NAT correctly if the traffic originates from internal.

Classic example: Cisco ASA, Cisco IOS (there is actually a dirty PBR trick you used to do to make it do this).

Title: Re: Can not reach its own public IP from inside the NAT when port fwding
Post by: ggnfs000 on April 03, 2018, 02:08:38 AM
mind sharing? the router appears to be something called Sagemcom  5260, thanks
otherwise i have to create a two different version of it.
Title: Re: Can not reach its own public IP from inside the NAT when port fwding
Post by: SimonV on April 03, 2018, 08:32:49 AM
It's quite a common problem. Some of your options:

- Use DNS hostnames and do split-DNS - but this requires you to host an internal copy of your external zone but with internal IP addresses where required.
- Configure NAT Hairpinning, example: https://kb.juniper.net/InfoCenter/index?page=content&id=KB24639
- If your destination server is in a segment that always crosses the firewall, regular DNAT will do.

And probably a dozen other band-aid solutions. I would pull out that Sagem and replace it with a proper firewall.
Title: Re: Can not reach its own public IP from inside the NAT when port fwding
Post by: deanwebb on April 03, 2018, 09:46:39 AM
I would not allow SSH open to the Internet. You're better off with a VPN with 2FA security on it.
Title: Re: Can not reach its own public IP from inside the NAT when port fwding
Post by: icecream-guy on April 03, 2018, 11:30:36 AM
Sound like a job for split-brain DNS. When going outside to a public IP, the DNS server sees that the server is on this inside and provides the internal IP address back.
Text only | Text with Images