Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

NAT problem

0 views
Skip to first unread message

MC

unread,
Nov 18, 2003, 4:59:16 PM11/18/03
to
Hi,

Our internet connection to our LAN is T1 and our public IP address to Border
Manager provided by our Internet provider.

I have 6 servers with NAT entry in Border Manager 3.6 and they can access
internet no problem.
I wanted to add another server with NAT, the moment I add NAT, the server
that I am trying to put NAT for can not access the internet.
If I remove the NAT, that server starts accessing the internet. I don't
understand why.
(Note: we don't use default filters, we blocked most of the ports except
default HTTP, TCP and SMTP ports)

1) Do I need my internet provider to put a pointer (Public name) record for
this server in order to let this server access internet
(I think, this may be the reason why because public IP we assign to this
server at BM, is not defined by our internet provider)
2) If # 1 is false, does filters have anything to do with? (Remind you, any
workstation in my LAN can access internet)

MC


Craig Johnson

unread,
Nov 18, 2003, 8:34:06 PM11/18/03
to
In article <UCwub.4005$I04....@prv-forum2.provo.novell.com>, Mc wrote:
> I wanted to add another server with NAT, the moment I add NAT, the server
> that I am trying to put NAT for can not access the internet.
>
Did you add a secondary IP address for the new static NAT pair?

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

MC

unread,
Nov 19, 2003, 9:40:23 AM11/19/03
to
What do you mean secondary IP?
MC

"Craig Johnson" <cra...@ix.netcom.com> wrote in message
news:VA.0000336...@ix.netcom.com...

MC

unread,
Nov 19, 2003, 10:44:08 AM11/19/03
to
Yes, that is done.
The server has internal static IP address. So in border manager, I put
public IP address that points to private IP address. ( I did not know if BM
would allow you to add a public IP and not have any pointer record as
private IP)
MC


"Craig Johnson" <cra...@ix.netcom.com> wrote in message

news:VA.0000337...@ix.netcom.com...
> Static NAT requires you to map a public IP address to a private IP
> address. The public IP address must be a secondary IP address. If you
> simply type a public IP address in the static NAT setup without
> actually adding to the public interface, you will have the exact
> symptoms you describe. You need to add the public IP address to be
> used with the ADD SECONDARY IPADDRESS x.x.x.x command (also in
> autoexec.ncf). DISPLAY SECONDARY IPADDRESS will show the addresses in
> use. (NW 6.5 can also add secondaries in INETCFG).
>
> Have a look at the URL below. You might be interested in my book on
> configuring BMgr filter exceptions, which covers static and dynamic
> NAT, and how filtering works with them.

Craig Johnson

unread,
Nov 19, 2003, 11:54:27 AM11/19/03
to
In article <cdMub.4763$I04....@prv-forum2.provo.novell.com>, Mc wrote:
> Yes, that is done.
>
What is done? Both Static NAT and secondary public IP address?

If both are done, you may have a filtering issue. (You could try a
quick test with UNLOAD IPFLT to disable filtering).

Filter exceptions for static NAT need to call out the internal IP
address of the NAT host, not a public IP address. (Or IP address=Any).

MC

unread,
Nov 19, 2003, 4:10:41 PM11/19/03
to
OK, in Border Manager Inetcfg, I go to Bindings-->Public
Interface(TCP/IP)-->Configure TCP IP bind options-->Expert TCP
options-->NAT-->NAT Table and I insert Public address and private address.

Where else (which menu or config file) do you add Secondary IP address for
the new static NAT pair? and what would this secondary address do?
(When you say secondary IP, in my mind, I should have a second IP address
for this server?)

Regards, and thanks


"Craig Johnson" <cra...@ix.netcom.com> wrote in message

news:VA.0000338...@ix.netcom.com...

MC

unread,
Nov 19, 2003, 5:01:26 PM11/19/03
to
If you mean putting secondary IP (as the same public IP of the server) in
autoexec.ncf, then how-come my other 4 internal servers don't have secondray
IP defined in Autoexec.ncf but yet, they have no problem accessing internet.
I Looked at filters cfg to see if anything special defined for those servers
that NAT defined for them and have no problem, and there is nothing special.
All working servers with NAT setup in BM was setup by previous CNE employee.
I am looking at their config but can't see anything different but yet I am
missing something.
Thanks
MC

I see a lot of similar problem of others in regards to this, but

"MC" <ozop...@hotmail.com> wrote in message
news:l%Qub.5226$I04....@prv-forum2.provo.novell.com...

Craig Johnson

unread,
Nov 19, 2003, 9:39:46 PM11/19/03
to
In article <WKRub.5324$I04....@prv-forum2.provo.novell.com>, Mc wrote:
> If you mean putting secondary IP (as the same public IP of the server) in
> autoexec.ncf, then how-come my other 4 internal servers don't have secondray
> IP defined in Autoexec.ncf but yet, they have no problem accessing internet.
> I Looked at filters cfg to see if anything special defined for those servers
> that NAT defined for them and have no problem, and there is nothing special.
> All working servers with NAT setup in BM was setup by previous CNE employee.
> I am looking at their config but can't see anything different but yet I am
> missing something.
>
You really might want to get my filtering book, as it explains all this in
detail, with examples.

You only need secondaries for static NAT, in the configuration we are
discussing. But NAT is only being used when bypassing the proxies. If those
internal hosts are doing proxy-based access, they will not be using NAT, and
not notice missing IP addresses.

Also, if the proxy is configured with those extra public IP addresses (as
'public'), they will be automatically loaded when proxy loads, and then static
NAT will be able to use them.

MC

unread,
Nov 20, 2003, 9:03:13 AM11/20/03
to
I don't use proxy.
I have NAT table, and I have filters configured to deny all ports with
exception table. In the exception table,
I have certain servers with IP address defined as to which ports they will
be allowed to use and access.
MC

"Craig Johnson" <cra...@ix.netcom.com> wrote in message

news:VA.0000339...@ix.netcom.com...

Craig Johnson

unread,
Nov 21, 2003, 11:03:15 AM11/21/03
to
DISPLAY SECONDARY IPADDRESS at the server console.

Do you see secondary IP addresses? Is the one for the new static NAT
not there? If so, add it.

Craig Johnson

unread,
Nov 21, 2003, 1:13:52 PM11/21/03
to
ADD SECONDARY IPADDRESS x.x.x.x

Put that in autoexec.ncf.

(You really might benefit from one or both of the books mentioned in
the URL below...<g> All of this stuff is covered.)

MC

unread,
Nov 21, 2003, 2:04:08 PM11/21/03
to
I have 14 public IP address entries when I displayed secondary IP address,
however, none of them were added to Autoexec.ncf file. It looks like when
you use the console command line, it saves it somewhere but where, do you
know?
We use Border Manager 3.6.
I learnt that inetcfg does not yet support such feature,

In regards to purchasing your book, unfortunatley our company will phase out
Novell platform to move more user friendly (if not as powerfull as Novell)
firewall. It would be great for me to have as a reference untill though.
I will see I could my boss to approve.

Regards,
MC


"Craig Johnson" <cra...@ix.netcom.com> wrote in message

news:VA.000033c...@ix.netcom.com...

MC

unread,
Nov 21, 2003, 2:06:28 PM11/21/03
to
Why do we have to add it to autoexec.ncf?
After all, I don't see any of the secondary IP addresses in that file.
MC

"Craig Johnson" <cra...@ix.netcom.com> wrote in message

news:VA.000033c...@ix.netcom.com...

Craig Johnson

unread,
Nov 21, 2003, 5:41:43 PM11/21/03
to
I've tried to tell you - if the addresses are defined in BMgr setup in
the IP Addresses section, when proxy loads, it will also add the
addresses.

If you want the addressed to load, put them in autoexec.ncf and be done
with it!

I think you would find BMgr to be a lot more user friendly than you
think, if you just understand a bit more about how it works and where
you need to go to configure this or that.

MC

unread,
Nov 24, 2003, 5:16:00 PM11/24/03
to
Sorry for my ignorance, with your help my problem is solved but,
I still don't know where (which file) all these secondary IP addresses are
kept and how they are loaded.
I don't have proxy configured, and they are not in Autoexec.ncf either.
But yet, display secondary IPADDRESS shows them all.
Regards,
MC

"Craig Johnson" <cra...@ix.netcom.com> wrote in message
news:VA.000033c...@ix.netcom.com...

Craig Johnson

unread,
Nov 24, 2003, 10:45:41 PM11/24/03
to
In article <Aqvwb.9103$I04....@prv-forum2.provo.novell.com>, Mc wrote:
> I still don't know where (which file) all these secondary IP addresses are
> kept and how they are loaded.
> I don't have proxy configured, and they are not in Autoexec.ncf either.
>
Is PROXY.NLM loaded?

I generally launch an NCF file from autoexec.ncf to load up the secondary IP
addresses. I suspect either proxy is loading and putting in the addresses,
or you have another NCF file being called that is adding them.

MC

unread,
Nov 25, 2003, 12:36:27 PM11/25/03
to
No PROXY.NLM loaded
It was a file called IPADD with no extension specified in autoexec.ncf which
I tought it was some kind of NLM and that is why I did not bother to look at
that file.
It was actually IPADD.ncf file

Thank you very much.
MC


"Craig Johnson" <cra...@ix.netcom.com> wrote in message

news:VA.000033e...@ix.netcom.com...

Craig Johnson

unread,
Nov 25, 2003, 7:37:56 PM11/25/03
to
In article <vqMwb.9694$I04....@prv-forum2.provo.novell.com>, Mc wrote:
> It was actually IPADD.ncf file
>
Cool! A good way to do it, in my opinion. I usually call my file
SECOND.NCF.

Sylvain

unread,
Dec 16, 2003, 2:42:59 PM12/16/03
to
Same here.

I have SECONDIP.NCF in the AUTOEXEC.NCF file that refers to all secondary
ips.

>>> Craig Johnson<cra...@ix.netcom.com> 11/25/2003 7:37:56 PM >>>

0 new messages