NAT vs ROUTE to public NIC interface



  • NOTE:  Sample public ip - 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5

    I have an application server that requires two NICS.  One NIc is internal interface and the other is external interface.  The external needs to have a public ip address.  The documentation says no NAT allowed.  It did not state one to one nat or one to many - am I to assume ALL NATS?

    Question:

    1 - When it says no NAT allowed, does it mean NOT even ONE-to-ONE NAT?  I mean how do companies today assign a public ip inside the firewall on one of their server?

    2 - I heard that you obviously can assign a public ip directly onto the external interface of the server, but say that public ip is 1.1.1.2 - do I also need to put that entry on my FW (part of Virtual IP)?

    In this case I have ONE-to-ONE or ROUTE option to the public interface of server - can someone also clarify how it would actually ROUTE (not NAT) to the servers public ip along with my other public ip?

    The application in this case is OCS 2007 R2 or Microsoft Office Communications Server 2007 R2.  I would prefer the ONE-to-ONE NAT approach.

    Any feedback is appreciated.



  • OCS 2007 R2 does not support destination address/port (DNAT) but it will work with source address/port (SNAT)
    Why?  Because DNAT has some peculiarities when one of those physical OCS servers behind the load balancer wants to communicate with different OCS server in the same pool and wants to load balance that communication as well.  There’s no good way to make this work with DNAT.  With SNAT, this works just fine.

    http://technet.microsoft.com/en-us/library/dd441361(office.13).aspx

    Your Topic Title is a little misleading.



  • Not sure why it is misleading title…the thought I had was OCS can work either using NAT or Routing via FW.  I am no way a networking expert but in the case of SNAT you said it'll work.  So is One-to-One configuration an SNAT?  Sorry if elementary.  For the past few years, all my servers have internal range ip addresses, and if I just needed a public ip address directly going to a particular server, I just used the ONE-to-ONE option (not knowing the exact NAT technical term); basically assign the public IP on the FW itself and have it mapped to an internal IP - that's it.  I hope that is how it works also on OCS 2007 R2.  Can you clarify if it will work using ONE-to-ONE NAT?  Terminology may be my problem here.  Thank you for your input.

    NOTE:  SNAT I take as STATIC NAT



  • Yep. It should work with 1-to-1 NAT. If it doesn't, let me know.



  • Thank YOU!  You don't realize how hard that answer has been to obtain for me - ONE-to-ONE works!  Couple more if you don't mind…

    1 - what would you do in my case - ONe-to-ONE or something else, what have you done in this scenario?

    2 - Does this apply to LCS 2005, OCS 2007, OCS 2007 R2?  I am assuming you have a good amount of experience in this.  Which in your experience or opinion would the ONE-to-ONE work on - all 3 software above (this is all for knowledge - not necessarily implementing).  This also clarifies alot of what I have been trying to understand in reading the docs.

    Many thanks again, what a relief.



  • I applogize.
    I have never deployed OCS 2007 R2 in any enviroment. I just found your answer by using Google.

    I can tell you that LCS 2005 and OCS 2007 support the NAT you are more familar with. One-to-One NAT will work with all of them.
    Go with the software that you require, that fits your business needs. I would stick with OCS 2007 R2 since its up and running.

    Sorry to dissapoint you, but I am not even certified on OCS server.



  • Back to square one - now you will see why I am getting confused.

    http://blogs.3sharp.com/deving/archive/2008/04/11/security-and-the-ocs-2007-av-edge-role.aspx - specifically…

    Public IP address. The A/V Edge server needs to have a publicly routable IP address. This address must be publicly routable; you can't fudge it by giving it an IP address in a private range (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) and do any sort of NAT to it. 1:1 NAT or static NAT mapping won't do the trick here. You can and should have a firewall between it and the Internet, but it can't be doing any address translation.

    Getting further - http://blogs.pointbridge.com/Blogs/mcgillen_matt/Pages/Post.aspx?_ID=61

    I just wondered how the FW (pfSense in this case) was configured withOUT ONE-to-ONE before.



  • ok,
    OCS 2007 could use NAT, DNAT and SNAT. With R2 those requirements changed. R2 will work with SNAT. Configure it with 1-to-1 and give it a try. Enable NAT reflection if you have problems.

    Try it and let us know. If we get it working, we will document it.


Log in to reply