Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (ASCEND) Q. Can you run servers behind Pipeline (running NAT)?

At 11:47 AM 11/13/97 -0800, you wrote:
>At 09:18 PM 11/12/97 -0600, Luke Parrish wrote:
>>It may be easier if you explain to him why the ip's will be be able to be
>>hit from the outside world...
>
>From the outside world all of your machine will look like they have the
>same address - that assigned by the NAS (dynamic or static - either way).
>

True. Like I said before, the client just puts in the users "real" address,
and depending on if he is using a browser, news client, ftp client, the
pipeline will determine which local address to redirect you to.


>>First of all i am not an expert on this, but this is my understanding. 
>>
>>NAT will use local addressing, meaning that "my address" will be set to
>>200.200.200.200/24 on the pipeline.  
>
>The my-address is local and ONLY relevant to the machines behind it. This
>address is NEVER used on the WAN side and the rest of the world knows
>nothing about it. The assigned address is mapped by the Pipeline to all
>of the local addresses via a mapping that consists of IP/port combinations.

Yes, this address is just for local addressing in the office, that is why I
said that the 200 address will not be able to be accessed by the outside
world. 

The "outsiders" will know of one address, that address being the one that
is assigned to you by your ISP.

>
>>This would allow you to dial up to
>>your ISP and receive a dynamic ip. Then the ip address that your
>>web/http/ftp servers will be on, would be 200.200.200.201 .202 .203 etc.
>
>No, they would all *LOOK LIKE* they are on the address that is "assigned" to
>you at connection time.

No, the web server HAS to have an ip address specified on it for this to
work. So they WILL have an individual local address in each box. So you
could set each server to 201 202 203, so on on, of course the outside user
will not know anything about this, they will just enter in the "real"
assigned by the ISP. But if each server on the LAN does not have a local
address specified to it, then how is the pipeline going to redirect traffic
to it....


>
>>With a mask of 255.255.255.0.
>
>Not really, but....

Why is that not really, what mask should you put on each server, if not a
.0 or a /24....

>
>> What would be ideal is if your ISP could
>>provide you with say a /27 block of address's and then you could have
>>"real" address's for each box on your network. But there will be additional
>>costs to this, so i am sure that is why you are doing NAT. 
>
>>Just dont let
>>your ISP know that you are doing it, they tend to get unhappy when they
>>find their dialup ISDN customers with machines behind their single
>>connection. I work for an ISP and we get mad, so just thought i would let
>>you know :)
>
>Interesting.....you'd rather burn IP addresses then....

No, we would rather charge them more money, which in turn we dont mind
burning ip's. If they use NAT and support an entire network behind their
single connection, then they are going around our plan of regular dialup
isdn, and network ISDN. 

>
>>What you could do is direct internet traffic by your one real ip address.
>>Like all FTP traffic to port 21, and then specify a local address to route
>>all port 21 traffic to, this is done with static mappings. 
>
>Yes...this is it...maybe I misunderstood wat you were suggesting above.
>

I think you did, no big deal.

>>But the reason that these address's are not able to be reached from the
>>outside is that these are "local address's". 
>
>But you don't care about that. To the outside world they are all on the
>same "assigned" address.
>

Very true. Like I said above the outside world will never know that the ip
address of each server is actually .201 .202 .203... 

>>Which means they are being
>>used all over the world by many networks as local address's. So lets say i
>>did a trace to 200.200.200.201, it will go no where, cause it knows that it
>>is assigned for local addressing. 
>
>The outside world knows nothing about your local/private addressing scheme.
>

Did i ever say that they did? I was just trying to explain to him what
"local" address's are. 

>>And when you say that it sounds doable, i have found that if you sit down
>>and actually read through one of the manuals they send out, and a .pdf on
>>the 5.1A code, (took me a while to figure the whole manual thing out), then
>>you can do almost everything with these little bad boys. 
>
>Ah, so we do agree....
>
>It is pretty clear from the 5.1A release notes that this can be done....
>

Yeh we do agree on this entire subject, I just think you misunderstood what
i said at the beginning...


>>At 06:26 PM 11/12/97 -0500, you wrote:
>>>>Yes you can run them, but users from the outside world will not be able to
>>>>hit them.
>>>
>>>
>>>That's too bad.
>>>
>>>>I totally dont understand what you mean by "The DNS effectively becomes
>>>>the router", as they are two TOTALLY different things, doing two TOTALLY
>>>>different functions, but your overall answer is NO.  Go buy a Motorola
>>>>BitSucker Pro for $150, and save some cash.
>>>
>>>Oops. Sorry for my misuse of the terms. What I mean to say is that with
a TA
>>>as a NIC sitting in the same machine as the DNS, one can effectively turn
>>>the Server into routing the LAN. Then with multi-homing on a single IP, I
>>>can
>>>run other servers on the subnet.
>>>
>>>But I don't like this solution because it means dedicating one machine for
>>>the task
>>>and using the software to solve it instead of letting the hardware
>>>(pipeline) handling this.
>>>
>>>I am still hopeing a solution is available. Maybe something like setting
the
>>>default
>>>route to a specific machine. That is, if an unsolicted packet is sent to
the
>>>pipeline 75,
>>>it will automatically (by default through some sort of configuration on
p75)
>>>be routed to a specific machine. It should be doable, at least
conceptually.
>>>
>>>Thanks.
>>>
>>>Edwin
>>>
>>>
>>>
>>>>
>>>>Scott R. Chrestman
>>>>System Administrator
>>>>Netropolis Communications Corp.
>>>>src@netropolis.net
>>>>
>>>>
>>>
>>>++ Ascend Users Mailing List ++
>>>To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
>>>To get FAQ'd:	<http://www.nealis.net/ascend/faq>
>>>
>>>
>>
>>
>>* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 
>>* Luke Parrish           *     Email lparrish@iamerica.net        *
>>* LDS-iAmerica, ISP      *     Email luke@ciscokid.iamerica.net   *
>>* Network Engineer       *     Phone 1-800-789-6062 x3010         *
>>* AS 4958                *     http://cust.iamerica.net/lparrish  * 
>>* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
>>* The Internet is our friend.                                     *
>>* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 
>>			
>>++ Ascend Users Mailing List ++
>>To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
>>To get FAQ'd:	<http://www.nealis.net/ascend/faq>
>>
>
>Kevin
>
>
>
>


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 
* Luke Parrish           *     Email lparrish@iamerica.net        *
* LDS-iAmerica, ISP      *     Email luke@ciscokid.iamerica.net   *
* Network Engineer       *     Phone 1-800-789-6062 x3010         *
* AS 4958                *     http://cust.iamerica.net/lparrish  * 
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* The Internet is our friend.                                     *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 
			
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>
Follow-Ups: References: