More things that NAT breaks?

Let's say I run a webserver with a secured website that I want only an IP address to have access from. For example, the webserver is at the office and I only want me and me only to have access to it from my house. Both work and home have a static IP.

However, the webserver at work is behind a NAT router. Because the way NAT works is that it translates one IP to another, how does the webserver behind it know that the incomming request is from me at home? I mean what the webserver sees is the LAN IP of the NAT router and not my real home IP right?

I know I can use username and password to authenticate myself, but the point here I want in addition to username and password, I also want authentication by the IP of the incomming request from my home. Is there a way to have both of these access restrictions? Basically, a workaround solution for NAT in this context?

 

Tony, you are wrong. NAT stands for "Network Address Translation ". Translating IP addresses is exactly what it does.

However, I agree that moboking should enable authenication on the server as well as setting up firewall rules.

When sending a packet of information out of a network NAT will translate the FROM IP address to either another address (proper NAT) or the router's address (port address translation - PAT, NAPT or dynamic NAT). It does not change the TO IP address.

When receiving a packet from the outside NAT will translate the TO IP address but not the FROM IP address.

As a result if you are outside network and send a packet to a system inside the network the IP information for the external PC will be unaffected

Using a PAT example:

Packet sent from external system
<TO: Router's IP address> <FROM: external system's IP address>

{Router's IP address = the external IP address of the NAT router at the web server's site}

When it gets to the router, NAT determines the right recepient (from the port information) and translates the TO field so that the packet gets forwarded to the right internal system:
<TO: internal IP> <FROM: external system's IP address>

Packet sent to external system
<FROM: internal IP> <TO: external system's IP address>

When this gets to the router, it translates the FROM field and maps the from port number it uses to the internal IP address so it know where to send the replies.
<FROM: Router's IP> <TO: external system's IP address>

Therefore any rules you have on the webserver to block or allow certain external IP address to access the system will be unaffected by NAT running on the local router.

However, note that if your Home system is connecting via a NAT router, the FROM IP address that arrives at the web server will be the home router's external IP address and not the IP address of the home PC.

 

My point is let's see this from the webserver's point of view. The whole point of NAT is the outside world does not see the private network and the private network does not see the outside Internet at least not directly. When a client behind NAT broadcasts a public IP, it broadcasts that IP to all the other computers within its LAN's subnet and of course, there will be no reply from these clients. However, the gateway does reply and knows that the data needs to escape so it relays this to the outside world. This gateway is the NAT router.

Now in IIS at my office, I can tell it not to accept any incoming data from any IP except from one, ie my home WAN IP. Unfortunately IIS is behind a NAT router. Therefore, when the incoming request http data stream at port 80 which correctly matches the router's WAN IP hits the router, the router translates this WAN IP to the LAN IP of the webserver and forwards the data to it on port 80. However, from the point of view of the webserver, the incoming data at port 80 comes from 192.168.1.1 (default Linksys NAT router's LAN IP) but IIS is programed to accept only the IP of say... 68.12.12.12 which is my home IP so IIS would block the incoming request "from" the router because 192.168.1.1 is not 68.12.12.12. Basically, IIS is not smart enough to know that this incomming request's source IP has been translated.

I am not clear on this DMZ business. In my Linksys NAT router, there is an option to put a particular client in the DMZ. What does this mean? Ok, let's say the NAT router's WAN IP is 69.1.1.1 and its LAN IP is 192.168.1.1. If this client is in the DMZ, the router does not translate any IP at all when it assign an IP to this DMZ client? In other words, this DMZ client will get an IP of 69.1.1.1 and not 192.168.1.x?

 

Spot on!!!!!

 

No. How it works is:

When a PC using TCP/IP wishes to send a message to another computer, it will sends it to the IP of the PC of that computer. It does not broadcast it. (see hub note below). If it doesn't know the address it may send a broadcast to see if any of the local machines have that address cached, but if it can't find the address it won't send the information.

When sending the information, the PC will compare the IP address with its own IP address using the subnet mask to determine if the IP address is on the same subnet as itself (by doing a logical AND of IP with Mask and comparing the results. If the results are the same the two IPs are on the same subnet).

If the subnets are the same the PC will first use ARP to get the MAC address of the recipient computer (if it isn't in its cache) and then send the packet out directly to the MAC address of the recipient PC. If IP addresses are on different subnets, the computer sends the packet to the MAC address of the default gateway (your router). The IP "TO" field is still that of the recipient PC, it is the level 2 MAC address that is that of the router.

Routers block/ignore broadcasts. They do not sit listening for any packets destined for outside the network. They only process packets sent to them directly at the layer 2 level (MAC).

Hub note, hubs work at layer 1 and cannot destinguish between different MAC addresses. If you are on a hubbed network, you will receive all packets sent out by neighbouring PC. Those broadcast and those sent directly.