You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by "G. T. Stresen-Reuter" <te...@gmail.com> on 2013/09/03 16:41:53 UTC
Inverse NAT
Hi,
Sorry for the newbie question, I'm not even sure if what I'm asking exists.
I'm being told that to be an official testing center, we need a caching proxy capable of doing inverse NAT. I know what NAT is, but I've never heard of inverse NAT. Also, I've always thought that NAT was the task of the router, not the caching server.
Does TS do inverse NAT? Can anyone chime in on this?
Thanks in advance.
Ted Stresen-Reuter
Re: Inverse NAT
Posted by David Boreham <da...@boreham.org>.
On 9/3/2013 4:29 PM, G. T. Stresen-Reuter wrote:
> Our consultant claims to have done some research and found that there are some features in the ISA server not found in other caching proxy servers. One of them he classified as a "sort of inverse NAT" (without going into any detail).
First, I should disclose that I know even less than everyone who has
responded on this thread so far.
However, I did do some Google searching on "inverse NAT ISA server".
This brought up some articles that describe the feature. e.g. :
http://www.techrepublic.com/article/publish-network-resources-with-isa-server/
Based on these articles, my conclusion is that what they call "inverse
NAT" is in fact ... http proxying.
Perhaps ISA Server was broken in some way originally such that proxying
requests from "outside" clients to "inside" servers was not possible.
Then... in a later release that capability was added, and of course
needed a name, so "reverse NAT" was born, even though it isn't NAT of
any kind. Anyway, just a theory. Beware btw in that article, when he
says "client", he typically means "server".
If your consultant is talking about the same feature set, then surely
ATS (or pretty much any other decent proxy server) can do it, when
configured appropriately. I'd recommend that you assume this is the
case, and ask consultant "do you mean a proxy scenario like this...
<insert diagram> ?". See what they say.
Re: Inverse NAT
Posted by "G. T. Stresen-Reuter" <te...@gmail.com>.
Thanks for the prompt response!
On Sep 3, 2013, at 5:17 PM, "Alan M. Carroll" <am...@network-geographics.com> wrote:
> Tuesday, September 3, 2013, 9:41:53 AM, you wrote:
>
>> Does TS do inverse NAT? Can anyone chime in on this?
>
> Hard to answer, since neither of knows what "inverse NAT" is, and I spent several years working on NAT stuff for Cisco.
>
> As a guess, I would say you could use ATS in reverse proxy mode to convert external visible URLs to requests to internal machines that do not externally visible services or addresses. E.g., a request for "http://test-place.com/blah/blah" comes in to ATS, and is converted to a request for "http://secure-test-a/blah/blah" where "secure-test" is looked up in local DNS and has no externally routable address.
Unfortunately, I'm not exactly sure myself what the consultant meant by inverse DNS. The situation is, we are being required to install a caching proxy. All the supporting documentation provided by the accrediting agency makes reference to the Microsoft ISA server (something we can no longer purchase). Our consultant claims to have done some research and found that there are some features in the ISA server not found in other caching proxy servers. One of them he classified as a "sort of inverse NAT" (without going into any detail).
I've done some research on the subject but I've been unable to pinpoint the ISA feature not found in TrafficServer. Here is a summary list of ISA features:
http://download.microsoft.com/download/1/C/6/1C6A42B2-79E6-4201-A8B2-73DC0DB8DD47/Evaluation_Guide.doc
Based on your response I'm going to push for a better, more explicit explanation of what exactly is required and reply to this thread if I ever get a clear answer.
Thanks again for the effort!
Ted Stresen-Reuter
Re: Inverse NAT
Posted by "G. T. Stresen-Reuter" <te...@gmail.com>.
Thanks for the prompt response!
On Sep 3, 2013, at 5:17 PM, "Alan M. Carroll" <am...@network-geographics.com> wrote:
> Tuesday, September 3, 2013, 9:41:53 AM, you wrote:
>
>> Does TS do inverse NAT? Can anyone chime in on this?
>
> Hard to answer, since neither of knows what "inverse NAT" is, and I spent several years working on NAT stuff for Cisco.
>
> As a guess, I would say you could use ATS in reverse proxy mode to convert external visible URLs to requests to internal machines that do not externally visible services or addresses. E.g., a request for "http://test-place.com/blah/blah" comes in to ATS, and is converted to a request for "http://secure-test-a/blah/blah" where "secure-test" is looked up in local DNS and has no externally routable address.
Unfortunately, I'm not exactly sure myself what the consultant meant by inverse DNS. The situation is, we are being required to install a caching proxy. All the supporting documentation provided by the accrediting agency makes reference to the Microsoft ISA server (something we can no longer purchase). Our consultant claims to have done some research and found that there are some features in the ISA server not found in other caching proxy servers. One of them he classified as a "sort of inverse NAT" (without going into any detail).
I've done some research on the subject but I've been unable to pinpoint the ISA feature not found in TrafficServer. Here is a summary list of ISA features:
http://download.microsoft.com/download/1/C/6/1C6A42B2-79E6-4201-A8B2-73DC0DB8DD47/Evaluation_Guide.doc
Based on your response I'm going to push for a better, more explicit explanation of what exactly is required and reply to this thread if I ever get a clear answer.
Thanks again for the effort!
Ted Stresen-Reuter
Re: Inverse NAT
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
Tuesday, September 3, 2013, 9:41:53 AM, you wrote:
> Does TS do inverse NAT? Can anyone chime in on this?
Hard to answer, since neither of knows what "inverse NAT" is, and I spent several years working on NAT stuff for Cisco.
As a guess, I would say you could use ATS in reverse proxy mode to convert external visible URLs to requests to internal machines that do not externally visible services or addresses. E.g., a request for "http://test-place.com/blah/blah" comes in to ATS, and is converted to a request for "http://secure-test-a/blah/blah" where "secure-test" is looked up in local DNS and has no externally routable address.