In my previous post, Router URL Filtering using NBAR, I explained how it was possible to block users from accessing websites simply by using NBAR, a class-map and a policy-map.
In this post I’ll describe how you can redirect your users’ web requests instead of simply blocking them. This time we’ll use NAT instead of NBAR.
For this example, let’s say you’d prefer everyone on your network to use Google instead of Yahoo, so every time someone goes to Yahoo.com, they’ll be re directed to Google.com.au
To do this, you’ll need to obtain the web server IP addresses for both Yahoo and Google. This can be done easily enough with a ping:
Pinging yahoo.com [184.108.40.206] with 32 bytes of data:
Pinging google.com.au [220.127.116.11] with 32 bytes of data:
In my previous blog entry, Multiple Public IP NATing to Multiple Hosts, I described how you can use “one to one” NATing to allocate one public IP address per internal host. This is a great solution for those who have multiple public IPs, however, these usually come at an added monthly cost.
An alternative to this method would be to run your services on different port numbers. For example, if you have three web servers, you could run one on port 80, the next on port 8080 and the last one on port 8081. However, some System Administrators do not like forcing their applications to run on non-standard ports and some applications may not even offer you the option.
So how do we fix this issue you ask? Rather than do the port change on the application(s) themselves, you can simply do it on the router itself. This is a great solution because the applications themselves do not need to be changed and you’ve got a central point of configuration for all of the port changes. Also, should you decide to invest in additional IP addresses later on down the track, you can migrate the server(s) to their new IP address(es) by simply changing a few lines of configuration.
Using the diagram below, I’ll describe how you can achieve this:
I have seen quite a lot of ask the question, “how do I NAT multiple public IPs to multiple inside hosts?”. I think what confuses most people is when they are given two different subnets. As per the diagram below, R1 has a 203.43.94.x address for its internet connection and a 94.56.43.x range for its internal hosts.
This type of configuration is known as “one to one” NATing. What it does is statically map an internal host’s IP address to an external IP address.
Note: Please also see the Single Public IP NATing to Multiple Hosts post for a similar setup but using only a single public IP address.
As per the diagram below, the mappings are as follows:
- R2’s Private IP is 192.168.45.2 and its public IP is 18.104.22.168
- R3’s Private IP is 192.168.45.3 and its public IP is 22.214.171.124
- R4’s Private IP is 192.168.45.4 and its public IP is 126.96.36.199
With these mappings, all traffic sent from R2 on to the internet will leave with a source IP address of 188.8.131.52. When traffic is sent from R3 on to the internet, it’s source IP address will be 184.108.40.206, and so on.
The true is in reverse too. For example, when traffic from the internet is sent to 220.127.116.11, it will be sent to the host with the IP address 192.168.45.2 (R2), when traffic from the internet is sent to 18.104.22.168, it will be sent to the host with IP 192.168.45.3 (R3), and so on.