NAT two private networks

Issues related to configuring your network
Post Reply
vkgautham
Posts: 1
Joined: 2022/08/10 13:59:47

NAT two private networks

Post by vkgautham » 2022/08/10 14:02:25

I have two networks.

Network A (Internal)
10.23.xx.xx/24

Network B (Internal)
10.21.xx.xx/24 (Static IP) VPS running Centos 8, two ethernet cards.

How can I make the web application running on VPS (Network B) be accessible to all clients on Network A?

I tried to NAT but could not make connection to Network B from Network A (Request timed out). What is the exact procedure?

Thanks

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: NAT two private networks

Post by jlehtone » 2022/08/11 19:22:13

Lets have:

Code: Select all

aa -- A -- ra -- C -- rb -- B -- bb
The aa is a client in network A. When it wants to talk someone else in A, it does that "link-local". Everything else it does pass to member "ra" of A, which is a router -- the gateway to other subnets.

So, the aa sends a packet that has (SRC=aa, DST=bb) to ra.
The ra is a member of network C. The ra is told (a static route has been added) that traffic to B must be send to rb.
The rb is member of B and can forward the (SRC=aa, DST=bb) to bb.
The bb replies with packet that has (SRC=bb, DST=aa). The aa is not in B, but bb has rb as default gateway.
The rb must have static route "to A via ra", just like the ra has "to B via rb".
No NAT was in this setup.


Lets say that C is (multiple) public network (with additional routers in between). One cannot send packets with private addresses into public and the other routers do not have the necessary static routes (to private subnets).

Therefore, aa can't talk to bb. However, aa can send packet to public address of rb. The packet starts: (SRC=aa, DST=rb_public)
The rb must masquerade the private addresses. That is source NAT (sNAT). The packet that leaves from ra has (SRC=ra_public, DST=rb_public)
Obviously, the rb is not a web server. The bb is.
The rb must have a port forwarding rule (destination NAT, dNAT) that attempts to connect to rb_public with HTTPS must go to bb.
After rb the packet has: (SRC=ra_public, DST=bb). The bb sends a reply: (SRC=bb, DST=ra_public)
The dNAT in rb was "stateful", so the reply is automagically changed to (SRC=rb_public, DST=ra_public)
Likewise, sNAT in ra was stateful and reply updates into (SRC=rb_public, DST=aa). The aa receives the reply.
In this scenario the ra does not have route to B and the rb does not have route to A.

In addition to NAT, both routers must allow such traffic to be forwarded through their firewalls.
There is also limitation that there can be only one HTTPS server in the entire B (that members of A can connect to with default HTTPS port).

Post Reply