Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


45 posts

Geek


Topic # 65933 9-Aug-2010 19:12
Send private message

Hey Guys,

I have a question and I have been googling and cant find the answer to. Ok here goes, I have a Linksys AG300 with IP 192.168.10.1 and subnet of 255.255.255.252.

I also have an ISA server box IP 192.168.10.2 and same subnet. Now currently I have NAT enabled on the AG300 but also ISA performs NAT so effectively I am double-natting. Now I believe the best alternative is Static Routing, am I correct?

If not, what do I need to do to disable NAT on my AG300 and just have it forwarding packets? If so, what options do I set for static routing, I have tried all combos I can think that are logical to me and none work.

It needs Dest IP, Subnet and Gateway IP.

Any ideas?

Thanks

Adam

Create new topic
Infrastructure Geek
4056 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 365610 9-Aug-2010 20:27
Send private message

what you really want is "ip extension" or "half bridge" modes on your linksys. it will avoid the double-nat, presenting the external IP address directly to ISA via DHCP

try this link for some help: http://www.ben.geek.nz/2006/11/adsl-routing-solution-in-detail

i'm pretty sure the ag300 does half bridge too




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs




45 posts

Geek


  Reply # 365619 9-Aug-2010 20:39
Send private message

I have just scoured my router config and looked on google and cannot find how to put this modem into bridge mode. I have a telecom single pc thomson st536v6 but couldnt figure out on that how to, seems maybe telecom locked it? I dont mind which box I use but would like to remove double nat?

Any ideas?



45 posts

Geek


  Reply # 365625 9-Aug-2010 20:46
Send private message

Scratch that, st536 is buggered. Telstraclear are sending me a free modem, anyone know mdoem number that will be? Half bridge?

218 posts

Master Geek
+1 received by user: 11


  Reply # 365785 10-Aug-2010 10:26
Send private message

the /30 subnet (255.255.255.252) gives you only two usable addresses, 192.168.10.1 and 192.168.10.2.

I presume the ISA server has two network cards and you have hosts using the ISA server?  If so, what is IP address and subnet mask of the inside or trusted interface?

Maybe the option is to have the ISA server route between its inside and outside NIC's instead of performing NAT?



45 posts

Geek


  Reply # 365801 10-Aug-2010 11:05
Send private message

Correct, inside interface IP is 172.20.10.1. Ah i see so then the AG300 does the NAT leaving the ISA just routing, hadnt thought of it that way..

218 posts

Master Geek
+1 received by user: 11


  Reply # 365802 10-Aug-2010 11:19
Send private message

adamdotclarke: Correct, inside interface IP is 172.20.10.1. Ah i see so then the AG300 does the NAT leaving the ISA just routing, hadnt thought of it that way..


yep, should work.  Only one way to find out I suppose!

3224 posts

Uber Geek
+1 received by user: 624

Trusted

  Reply # 365962 10-Aug-2010 18:33
Send private message

Another suggestion may be to set your modem to 10.1.1.1 and your ISA Wan to 10.1.1.2 - then have it as the DMZ in the modem.

Then set your ISA server to issue 192.168.0.x on its LAN interface

Or get a modem that does half bridge / ip extension, or use an internal PCI ADSL modem like I do.





Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here




Infrastructure Geek
4056 posts

Uber Geek
+1 received by user: 195

Trusted
Microsoft NZ
Subscriber

  Reply # 366032 10-Aug-2010 21:35
Send private message

raytaylor:
or use an internal PCI ADSL modem like I do.


that *should* be the easiest option, and potentially the most reliable,  - but they're harder to find these days.  got any links to models for sale?




Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs




45 posts

Geek


  Reply # 366044 10-Aug-2010 21:52
Send private message

Yea that is how I had it configured but swap the IP ranges.
But still isnt that not fixing the double nat issue?
Yea if you could recommend any good models as I have heard they can be unreliable if the wrong model...?

3224 posts

Uber Geek
+1 received by user: 624

Trusted

  Reply # 366052 10-Aug-2010 22:09
Send private message

I have a couple which i picked up off trademe. I always get them from there and have never had any problems with them - though if your case gets too warm i guess they could have problems.

Usually I just get one for $30 off trademe as I use them in managed firewalls for clients, and mako use them in their managed firewalls for the new government healthlink system that most pharmacy's are getting installed.

See here http://www.trademe.co.nz/Browse/SearchResults.aspx?searchType=all&searchString=pci+adsl&type=Search&generalSearch_keypresses=14&generalSearch_suggested=0

The ones i have in a load balancing firewall at home that i put together are both GlobespanVirata or something like that off trademe.





Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here




1984 posts

Uber Geek
+1 received by user: 133

Trusted

  Reply # 366188 11-Aug-2010 12:35
Send private message

What are your trying to achieve, ie which LAN do your want to firewall behind the NAT? Best security would have the NAT router in front of the server, so it sounds like you are protecting a second device behind the ISA server. I would have thought the second LAN would be a separate subnet on the first router instead of double NAT.




Qualified in business, certified in fibre, stuck in copper, have to keep going  ^_^

218 posts

Master Geek
+1 received by user: 11


  Reply # 366197 11-Aug-2010 12:49
Send private message

webwat: What are your trying to achieve, ie which LAN do your want to firewall behind the NAT? Best security would have the NAT router in front of the server, so it sounds like you are protecting a second device behind the ISA server. I would have thought the second LAN would be a separate subnet on the first router instead of double NAT.


performing NAT on consumer grade ADSL modem/routers usually cannot be avoided unless using a workaround such as half bridge as suggested or the Draytek option, so the first subnet is going to be natted.  It sounds like the OP's goal is to protect hosts behind the ISA server and possibly utilise ISA's firewall policies for outbound control etc etc.  I don't understand what you mean when you say 'the second LAN would be a separate subnet on the first router instead of double NAT'
I doubt the first router could take a secondary IP and subnet on the LAN interface and I don't see what that would achieve.
I still think it would be worth trying the ISA in route mode instead of NAT.  Seems simple to me.  ISA routes between the two private subnets and the modem/router performs NAT to the internet.
The only downside would be if you wanted to allow some inbound connections to hosts behind the ISA server you would have to port forward once on the modem/router and then also create port forwards and policies on the ISA server.



45 posts

Geek


  Reply # 366198 11-Aug-2010 12:52
Send private message

@nbroad you are correct, that is what I am aiming to do, I will give the route on ISA, NAT on adsl device option a try when I have the chance

Thanks heaps for all the suggestions guys, ill let you know how I get on...

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.