Can not reach its own public IP from inside the NAT when port fwding

Started by ggnfs000, April 02, 2018, 11:01:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

ggnfs000

April 02, 2018, 11:01:51 PM
I was able to access just fine by going around public IP to access internal NAT resources at home internet:
i.e. ssh port 22 fwd to 10.0.0.22 at home NAT with cable router public interface 71.202.A.B.

With that I can ssh into 10.0.0.22 from work by ssh-ing into 71.202.A.B. So far so good and simple.
Also, it was nice to know from inside my home NAT, from let's say computer with 10.0.0.23, I can ssh into 10.0.0.22 by ssh-ing into either 10.0.0.22 directly or through 71.202.A.B. That was convenient.

I just rented a small warehouse for small biz and setup another company internet.
Port fwd-ing similar to above setup quickly only to find that I can not access my internal NAT resources same way as above through public IP:
In ahother work, I can access 10.0.0.22 from either 71.202.A.B. from outside the NAT or from inside NAT directly ssh-into 10.0.0.22 not through 71.202.A.B. This caused a whole lot of disruption at home devices.

Many of my home devices were accessing 10.0.0.22 through public IP 71.202.A.B so I dont have to think about whether I am inside or outside the NAT, it will just ssh-into 10.0.0.22 through 71.202.A.B.

Now my new network is not allowing that. Is there anything I needed to look up. THe cable router is not a Cisco router with GUI interface. Thanks!


wintermute000

#1
April 02, 2018, 11:33:19 PM
Depending on the device, and depending on specific config, it may not perform the public facing NAT correctly if the traffic originates from internal.

Classic example: Cisco ASA, Cisco IOS (there is actually a dirty PBR trick you used to do to make it do this).

ggnfs000

#2
April 03, 2018, 02:08:38 AM
mind sharing? the router appears to be something called Sagemcom  5260, thanks
otherwise i have to create a two different version of it.

SimonV

#3
April 03, 2018, 08:32:49 AM Last Edit: April 03, 2018, 08:40:05 AM by SimonV
It's quite a common problem. Some of your options:

- Use DNS hostnames and do split-DNS - but this requires you to host an internal copy of your external zone but with internal IP addresses where required.
- Configure NAT Hairpinning, example: https://kb.juniper.net/InfoCenter/index?page=content&id=KB24639
- If your destination server is in a segment that always crosses the firewall, regular DNAT will do.

And probably a dozen other band-aid solutions. I would pull out that Sagem and replace it with a proper firewall.

deanwebb

#4
April 03, 2018, 09:46:39 AM
I would not allow SSH open to the Internet. You're better off with a VPN with 2FA security on it.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

#5
April 03, 2018, 11:30:36 AM
Sound like a job for split-brain DNS. When going outside to a public IP, the DNS server sees that the server is on this inside and provides the internal IP address back.
:professorcat:

My Moral Fibers have been cut.
Print
Go Up Pages1
User actions