NAT & ports redirected

Scenario:
- Two Windows servers 2003 SP2
- Two subnets
- One internet link with a valid IP

Server 1
- NIC 10.0.0.1
- MySQL(Port 3306)

Server 2
- Nic1:10.1.1.1
- Nic2:valid internet ip
- Running RRAS (NAT & Routing)
- NAT: - Basic Firewall: enabled
- Services and ports: Port 3306 redirect to 10.0.0.1(Server1)


Problem:
- Local users (both subnets) access Mysql (3306) ok, but users from
Internet not.


Thank you in advance,

Mauricio Boa Viagem
MSCE

Hi Mauricio,

TO have that be accessible from the Internet, you'll need either to expose
TCP/3306 to a status IP address on the Internet NIC and have MySQL listen, or
you'll need to have NAT translate to the internal address. Since this is on
the same machine though, you'd be hairpinning which usually doesn't work. In
that case you'd have to move the translation to another device.

This is a HUGE security hole though. Generally you wouldn't want to have a
consumable service on the server that is controlling a gateway. (Actually
I'd never let a server handle that -- stick with a firewall or router)


--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
http://www.techsterity.com
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.


"Mauricio_BV" wrote:

> Scenario:
> - Two Windows servers 2003 SP2
> - Two subnets
> - One internet link with a valid IP
>
> Server 1
> - NIC 10.0.0.1
> - MySQL(Port 3306)
>
> Server 2
> - Nic1:10.1.1.1
> - Nic2:valid internet ip
> - Running RRAS (NAT & Routing)
> - NAT: - Basic Firewall: enabled
> - Services and ports: Port 3306 redirect to 10.0.0.1(Server1)
>
>
> Problem:
> - Local users (both subnets) access Mysql (3306) ok, but users from
> Internet not.
>
>
> Thank you in advance,
>
> Mauricio Boa Viagem
> MSCE

Hi Ryan,

MySQL is working on server1 with one nic (10.0.3)
NAT/Basic firewall (RRAS) is woking on server2 with internet nic and lan
NIC. The port 3306 is redirected to server1, but users from internet can´t
reach

--
Mauricio Boa Viagem
MSCE


"Ryan Hanisco" wrote:

> Hi Mauricio,
>
> TO have that be accessible from the Internet, you'll need either to expose
> TCP/3306 to a status IP address on the Internet NIC and have MySQL listen, or
> you'll need to have NAT translate to the internal address. Since this is on
> the same machine though, you'd be hairpinning which usually doesn't work. In
> that case you'd have to move the translation to another device.
>
> This is a HUGE security hole though. Generally you wouldn't want to have a
> consumable service on the server that is controlling a gateway. (Actually
> I'd never let a server handle that -- stick with a firewall or router)
>
>
> --
> Ryan Hanisco
> MCSE, MCTS: SQL 2005, Project+
> http://www.techsterity.com
> Chicago, IL
>
> Remember: Marking helpful answers helps everyone find the info they need
> quickly.
>
>
> "Mauricio_BV" wrote:
>
> > Scenario:
> > - Two Windows servers 2003 SP2
> > - Two subnets
> > - One internet link with a valid IP
> >
> > Server 1
> > - NIC 10.0.0.1
> > - MySQL(Port 3306)
> >
> > Server 2
> > - Nic1:10.1.1.1
> > - Nic2:valid internet ip
> > - Running RRAS (NAT & Routing)
> > - NAT: - Basic Firewall: enabled
> > - Services and ports: Port 3306 redirect to 10.0.0.1(Server1)
> >
> >
> > Problem:
> > - Local users (both subnets) access Mysql (3306) ok, but users from
> > Internet not.
> >
> >
> > Thank you in advance,
> >
> > Mauricio Boa Viagem
> > MSCE

So, for that you'll need.

-- Static Internet IP: address
-- Secondary IP for MySQL or the single port forward
-- NAT/ PAT to do the translation
-- A route so that the public can find the 10.x.x.x
-- An ACL to let the traffic through
-- binding of MySQL so it only works on that port rather than listening on
that port and responding on a high port (unless using port inspection)


All of this is done in a few mouse clicks with ISA server, but all has to be
considered if you are just using a server or firewall for external access.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
http://www.techsterity.com
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.


"Mauricio_BV" wrote:

> Hi Ryan,
>
> MySQL is working on server1 with one nic (10.0.3)
> NAT/Basic firewall (RRAS) is woking on server2 with internet nic and lan
> NIC. The port 3306 is redirected to server1, but users from internet can´t
> reach
>
> --
> Mauricio Boa Viagem
> MSCE
>
>
> "Ryan Hanisco" wrote:
>
> > Hi Mauricio,
> >
> > TO have that be accessible from the Internet, you'll need either to expose
> > TCP/3306 to a status IP address on the Internet NIC and have MySQL listen, or
> > you'll need to have NAT translate to the internal address. Since this is on
> > the same machine though, you'd be hairpinning which usually doesn't work. In
> > that case you'd have to move the translation to another device.
> >
> > This is a HUGE security hole though. Generally you wouldn't want to have a
> > consumable service on the server that is controlling a gateway. (Actually
> > I'd never let a server handle that -- stick with a firewall or router)
> >
> >
> > --
> > Ryan Hanisco
> > MCSE, MCTS: SQL 2005, Project+
> > http://www.techsterity.com
> > Chicago, IL
> >
> > Remember: Marking helpful answers helps everyone find the info they need
> > quickly.
> >
> >
> > "Mauricio_BV" wrote:
> >
> > > Scenario:
> > > - Two Windows servers 2003 SP2
> > > - Two subnets
> > > - One internet link with a valid IP
> > >
> > > Server 1
> > > - NIC 10.0.0.1
> > > - MySQL(Port 3306)
> > >
> > > Server 2
> > > - Nic1:10.1.1.1
> > > - Nic2:valid internet ip
> > > - Running RRAS (NAT & Routing)
> > > - NAT: - Basic Firewall: enabled
> > > - Services and ports: Port 3306 redirect to 10.0.0.1(Server1)
> > >
> > >
> > > Problem:
> > > - Local users (both subnets) access Mysql (3306) ok, but users from
> > > Internet not.
> > >
> > >
> > > Thank you in advance,
> > >
> > > Mauricio Boa Viagem
> > > MSCE