NAT problem

pts.
Tags:
Cabling
Hardware
Hubs
Networking
Performance management
Routers
Switches
Web services
Hi All, I am running web application designed using SOAP. This application is linked to a database and serves data to the web using IIS. The application is using internal ip address 10.10.10.21. A router was configured to map all traffic from a specific external ip address say 198.168.1.3 to be routed to 10.10.10.21 on port 443 for SSL. Typing in https:198.168.1.3 will allow me to access the server however, I cannot communicate with the database, it seems to me that the fact that the certificate was created with the ip address 10.10.10.21 prevents communication with any other ip address. I am being told I need to run 2 web servers as I need users internally to communicate on 10.10.10.21 and external users on 198.168.1.3. I should point out that if I use a VPN I can get access. Any ideas ? TIA Robert

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hi Robert,

I don’t know much about database or web apps, but I’ll throw in my 2c in case it helps…

IP 192.168.1.3 is not external, but I assume you only used that as an example. Do you get any error message when you try to communicate with the webserver, and with the database? Anything in the webserver logs?

If the the same web app is going to be used internally & by external users, why don’t you create a certificate linked to a URL, like myapp.mycompany.com instead of to an IP address (make sure the name record is publicly available)?

Is the database in the same machine as the webserver? Hope not, because it’d be pretty risky (IIS notorious for break-ins, leaving your database wide open). If the database is in your LAN (or DMZ) and the IIS in a (different) DMZ, you may have some routing issues.

Best of luck,

Hedgehog

Discuss This Question: 9  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • YardDon
    Hedgehog, Thanks for the reply. You are correct regarding ip address. Unfortunately, the DB and IIS both share the same machine and I do share your concerns regarding IIS. It's only short lived though as I will be separating them soon. I may do what you suggest and place this IIS machine in a DMZ and see what happens. Your certificate idea is interesting and I will investigate it some more. I agree it could also be routing issues unfortunately I am not sure where to begin as the Networking guys think it's not. Regards Robert
    0 pointsBadges:
    report
  • Amigus
    It might be an authentication issue, more specifically a delegation issue. Find the computer account in the active directory, open it up and check "Trust computer for delegation." If you're concerned about security I'd take some time to learn about delegation and figure out how to allow delegation only for the database to minimize the risk noted by hedgehog.
    0 pointsBadges:
    report
  • YardDon
    Hi Amigus, Thanks for the reply. This machine is not operating in active directory. I can access the machine from the intranet and also from the internet but only with a VPN. I am trying to eliminate the VPN as users can access this server from anywhere. The problem is the software that is tied to the database only allows access from a single ip address. I was hoping someone knew if I could configure the network in such a way that I would not have a conflict. HTH Robert
    0 pointsBadges:
    report
  • Amigus
    First of all I should point out that even if you had active directory my solution above would not work. I guess I should think before I write sometimes. :-) Unfortunately after reading your reply I think I'm not really understanding your problem or enough about the senerio. Your point about the application being tied to one IP confuses me. Can you give any more background on it?
    0 pointsBadges:
    report
  • Ambrish
    first see what is the port no used by soap and also check the port no used by database if sql then 1433 if oracle then 1521 which u will map on the router regards ambrish
    0 pointsBadges:
    report
  • Hedgehog
    Hi Robert, Sorry I haven't answered before; been away. I am also confused about the app only allowing one single IP. Is this a licensing or a configuration issue? Can you NAT or proxy so that the app only sees the IP address of the NAT device or proxy? Did you try the idea about changing the certificates? If the webserver & the database are on same machine, that would rule out routing issues; unless the app is somehow set to allow only connections from "local" IP addresses (that would explain why your internal & VPN users can access it). Any luck inspecting the webserver and/or database logs? What is the actual error reported? Hope it helps, Hedgehog.
    0 pointsBadges:
    report
  • YardDon
    Hi Hedgehog, Thanks for the followup. In the Application I have to configure the IP address that the App will be communicating on and I create the certificate with that IP address. It's my understanding if I assign the app with the external IP 198.x.x.x then I can communicate however then I lose the ability to communicate internally. I did not try your suggestion with the url, honestly I am not sure I understood it thoroughly. I am told it can be done with networking/routing etc but I understand the networking guys are not sharing the knowledge(Politics). HTH Robert
    0 pointsBadges:
    report
  • Hedgehog
    Hey Robert, You've got a tough one there with those guys in networking... Have you tried asking the people who designed or sold you the application? Surely you're not the only one using it, and it appears to me the setup you're trying to achieve is not that uncommon (having different machines in DMZ would be more typical though) What's on the application logs and on the webserver logs? Any hints there? I am pretty lost. If you can talk to the webserver externally and the app is on the same machine as the web server, it doesn't make sense you can't talk to the app. Just for the sake of trying out, can you install the application in a different machine, inside your LAN, and redirect the requests from the IIS server to the internal machine? Sorry, man, but I can't think of anything else right now... Good luck Hedgehog.
    0 pointsBadges:
    report
  • YardDon
    Hi everyone, Thanks for all those that replied. I have decided to close this subject as I feel I am going in circles. a couple mentioned some solutions that I am going to try. Thanks again to all who replied. Regards Robert
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following