[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: cobalt-security digest, Vol 1 #518 - 14 msgs
- Subject: [cobalt-security] Re: cobalt-security digest, Vol 1 #518 - 14 msgs
- From: "Gareth" <garth@xxxxxxxxxxxxxxx>
- Date: Fri, 21 Sep 2001 13:22:15 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
As I undersand NAT, it allows a LAN to access an external network from a
single point of access/IP.
(I apologise if someone uses 125.126.127.190, it was just a random IP I
thought of).
Each outgoing IP on the network is translated into an IP and portnum and
creates a connection. When an external IP tries to get into the network, it
requests the IP of the NAT server and a port. The information is then
forwarded from that port to an internal IP address and port. You define what
each port on your external IP is related to, i.e. if you external IP is
125.126.127.190 and your mail server is 192.168.0.1 and web is 192.168.0.2
then someone accessing the port 125.126.127.190:80 will be forwarded to
192.168.0.2:80 and someone accessing 125.126.127.90:25 would get
192.168.0.1:25. This is just a rough example, a NAT server is a basic kind
of firewall, anyone accessing port 21(telnet) on 125.126.127.190 will not be
forwarded anywhere. Of course you could pretend to have an IRC server set up
on port 6667 but really have it on port 28 on 192.168.0.3 so anyone
accessing 125.126.127.190:6667 gets forwarded to 192.168.0.3:28.
So if you have a notes server on 192.168.0.4 (what port does it use to
connect? I will use 30 ) and your Qube at 192.168.0.5 serving http on 80 and
pop on 110. And your NAT router dials in as 125.126.127.190 as an external
IP, internal IP 192.168.0.8 (but that is not important for my example, only
as a gateway)
You would set up your NAT router as a normal NAT router, converting all
192.168.0.0 netmask 255.255.255.0 (class C) to 125.126.127.190/something
You set your internal network up as usual (for a router) with a gateway of
192.168.0.8.
Then on your NAT server you decide which external ports to provide, in this
example 30 (notes?) 80 (HTTP) and 110 (POP).
You set port 30 to be forwarded to port 30 on 192.168.0.4
Ports 80 and 110 to be forwarded to ports 80 and 110 on 192.168.0.5.
And drop everything else.
That would basically be it. For the DNS entry you would give your external
IP.
As I said, a NAT server is a basic firewall, only those ports to forward are
allowed.
Hope this helps someone.
Gareth
> Date: Thu, 20 Sep 2001 09:31:20 -0400
> From: John Anderson <janderson@xxxxxxxxx>
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: [cobalt-security] NAT Question
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> Hi,
>
> I've got a Qube2 and I was wondering about using NAT.
>
> Here is what I would like to do:
>
> - I run Lotus Notes on a server here that is behind our firewall (the
> Qube acts as our firewall)
> - I would like to have my users be able to get to Notes from outside the
> office, without moving the box outside the firewall.
>
> Now forgetting a minute about the whys and hows of dealing with Notes, I
> was curious about the procedure to setup NAT.
>
> I've got a few questions:
> - would I assign another IP for this situation?
> - could I just use the same IP it's got now, and use a different port
> number?
> - could I add a dns entry so I have something like notes.ceeva.com and
> that sends the packet to the qube, which translates it to the internal
> server?
>
> If someone could point me to a good FAQ or HOWTO I would appreciate it.
>
> Thanks in advance.
>
>
> --John
>