Ping a Specific Port

Question

David Bullock

Asked: 2011-07-21 18:45:37 +0800 CST2011-07-21 18:45:37 +0800 CST 2011-07-21 18:45:37 +0800 CST

Should I ever configure a host with a public IP address to accept traffic from a private IP address?

772

I connect the 'net with a public static IP (my router's IP address for NAT) and a /29 subnet (for machines behind the router).

On my router, I have:

#sh ip route | inc x.x
     x.x.0.0/16 is variably subnetted, 3 subnets, 2 masks
C       x.x.196.62/32 is directly connected, Dialer1
C       x.x.206.72/29 is directly connected, BVI2


#sh run int dial 1 | inc zone
 zone-member security out-zone
#sh run int bvi 2 | inc zone
 zone-member security in-zone

The zone-pair is fairly restrictive. I would like to relax the restrictions for clients which first connect via a remote-access VPN:

#sh run int virtual-template 1
 zone-member security relaxed-zone

Now clients connecting via VPN must be assigned a private IP address. (I don't allocate public addresses to clients, right?):

# sh ip local pool

 Pool                     Begin           End             Free  In use   Blocked
 RANET100                 192.168.100.230 192.168.100.250   20       1       0

So now if I want to get a packet to x.y.206.73 from 192.168.100.230, that's fine - the router has the information it needs. But it means that the host x.y.206.73 would have to permit traffic to its public-scoped IP address from a private address ... something it would normally be configured to ignore!

So this is a dirty hack, right? What is the True Path (TM)? Should I just multi-home the hosts with the public IP addresses so that they also have a private IP address?

2 Answers

Voted

womble · Answer 1 · 2011-07-21T18:52:06+08:00

womble

2011-07-21T18:52:06+08:002011-07-21T18:52:06+08:00

"But it means that the host x.y.206.73 would have to permit traffic to its public-scoped IP address from a private address"

No it wouldn't, it'd mean that a host would have two IP addresses, which happen to have different routing expectations to the Internet as a whole.

There's no reason not to place more than one IP address on an interface; it's entirely possible, and in fact, IPv6, it's pretty much universal. Just make sure that your address selection rules for outgoing connections use the right address for the right task.

2

MikeyB · Answer 2 · 2011-07-28T21:21:01+08:00

Best Answer

MikeyB

2011-07-28T21:21:01+08:002011-07-28T21:21:01+08:00

It's entirely reasonable to have this setup. Consider it thus:

Your 'internal network' consists of multiple networks:

a globally routable /29
a locally routable /24 for VPN users

Your public host doesn't care that it gets a connection from an RFC1918 address unless you configure it that way. Just let it happen.

No need to configure another IP.

1

Should I ever configure a host with a public IP address to accept traffic from a private IP address?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?