Hi,

I am new to all these, so this may sound extremely shallow. Pls bear with me.

1) Let's say I put a router in front of my ISA server and both have static public IPs, and I enable VPN on the ISA server, do I dial in to the ISA server's IP or the router's IP? Do I even need a public IP for my ISA when I already have 1 for the router?

2) Let's say I put a router in front of my NAT server (for webserver and Exchange server) and they all have static public IPs, do I make the A(HOST) to point to the router or the NAT's public static IP?

3) If the above 1 and 2 do not use the router's public static IP, then why is there a need for a static IP for the router?

Hopefully you guys will be willing to shred me some light on this :)

Hi Ruirimasu,

Let me take these one by one...

1)
A. If you configure your router to NONAT (don't NAT) the outside IP of the ISA server and it really has a public IP, then your VPN is going to connect to the public IP of the ISA server.
B. Whether or not you assign a public IP to the outside of your ISA server is up to you. If you are really going to use it to filter the traffic on your network then I would recommend it.

2) I'm not sure what you mean by "NAT Server" but if something has a public IP then that is the IP that the Internet sees it as and that is what you would assign the A record to on a public DNS server

3) Every device, direct connected to (not NAT'ted) the public Internet must have a public IP address. So, the router is what connects to your ISP so it must have a static IP. The static IP of the router is the default gateway for your network and the "next hop" for the ISP's router when they are delivering traffic to you.

We have some free Cisco and networking videos on our website-
http://www.trainsignaltraining.com/

Although, I am not sure that there is one on NAT and I think that is what would help you out the most.

Hope that helps!

Thank you,
David

Hi David,

Thank you for your replies. I was about to give up after I had not gotten a reply for so long.

I watched some Trainsignal videos which a friend lent to me, apparently he did not understand it well to. I even watched the ISA 2004 videos which you made. I learnt how to configure those servers from your videos, but I do not know how to really connect it to the internet.

For the 2nd question on the NAT, it is more about the Exchange server videos which I watched. The setup was an Exchange server and a NAT server. The NAT was supposed to translate (I may be using wrong words here) the outside requests to the Exchange server's private IP. In the videos, the static public IP of the NAT was put into the domain hoster's (godaddy.com) A (Host) record. I do not understand why it is not the router's IP instead.

For your answer to question 3, you mentioned "Every device, direct connected to (not NAT'ted) the public Internet must have a public IP address", the part I do not understand is why does the NAT (in the above example) need a static public IP when it is behind a router which connects to the internet. The case of the NAT is not directly connected to the internet, isn't it?

Sorry for my lack of understanding in this as I find everything in the videos very informative until the part where I got to connect it to a real router with internet access.

** by the way, I like your videos but sometimes you go too fast :p:D

Hi,

I am glad that you found our videos helpful!

Let me see if I can assist on these NAT questions...

Routers can route and NAT or they can just Route. There are multiple configuration scenarios... In my opinion, the most important thing is to know the different between the private and public and how NAT works. The static public IP is always going to be entered on the public Internet DNS servers.

Also, there is a different between between NAT and PAT. Checkout my TechRepublic article on NAT and PAT for more info (http://www.zdnetasia.com/insight/network/0,39044847,39050002,00.htm).

A device doesn't always have to have a static public IP but for a company, it is going to be the best design.... Sure, on your home router, you could get away with having one port sent to a web server and another sent to an email server, all sharing the IP address of the router. However, at a company, you are going to want static public IP's on all Internet facing devices - still those static public IP addresses could really be the outside of a firewall (like a Cisco PIX/ASA or a MS ISA Server) and still be NAT'ted to SMTP relay server or front-end server in a DMZ.

Hope this helps and I am not just confusing you more :)

Thank you again,
David

Hi Davis,

I think I am starting to understand it.

So let's say I have a linksys router and ISA server or NAT server, connected to them are webservers, exchange server and user PCs. Does the linksys router need a STATIC public ip address when the ISA and NAT server already have their own static public ip addresses? Can the linksys router use a dynamic public ip whereas static public ip for the ISA and NAT servers?

Thanks for your kind patience! :)