• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.

Routing Question

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Routing Question

    Anyone know how to route traffic from host A through host B for a particular IP and back?

    We have traffic that leaves our network and is only accepted by the other network if it's a particular IP. It's a royal PITA getting the other end to accept traffic from another IP so we thought to save time we might route other IP traffic through the host with the accepted IP, and back. We have:

    Host A - AIX WPAR
    Host B - AIX Host (global - different box)
    Host C - Host A WPAR's Global

    I've tried all forms of 'route add -host x.x.x.x -interface x.x.x.x to no avail - I think Im struggling with the fact the ping/telnet queries I'm using to test don't know how to get back to Host A. But I'm clueless on this really.

    Host A (the WPAR) shares the routing table with it's underlying Global with a unique IP so I am assuming I make the changes on that Host C.

    Just in case, a WPAR is AIX's equivalent of Solaris Zones/Containers.

    Ta!

    #2
    You can route it through but it'll still have the same source IP, will need to do address translation too and I've no idea if AIX can do that, apparently IPFilter does.

    You should be able to set routes using more specific match, set the route to that particular single IP address via the desired router on whatever client machine it is and everything else will still go via the normal default gateway. According to IBM the syntax is route add -host $dest-IP $router-IP

    Comment


      #3
      Originally posted by smatty View Post
      You can route it through but it'll still have the same source IP, will need to do address translation too and I've no idea if AIX can do that, apparently IPFilter does.

      You should be able to set routes using more specific match, set the route to that particular single IP address via the desired router on whatever client machine it is and everything else will still go via the normal default gateway. According to IBM the syntax is route add -host $dest-IP $router-IP
      I wonder if it's easier to do it on the ASA?

      Comment


        #4
        Originally posted by stek View Post
        I wonder if it's easier to do it on the ASA?
        If 'twere me, I would allocate a subnet for "NAT" purposes on the ASA and ask the other network to allow that entire subnet. Gives a bit more flexibility in future.

        If that's not an option then I think you'd need to re-address the servers so the "permitted" IP address isn't in use on the LAN and then do the NAT on the ASA (i.e. move that IP address onto the firewall), assuming all traffic to that other network goes through the ASA. But that might bugger up anything else internal which already uses the permitted IP address to get to that server.

        Comment


          #5
          Originally posted by smatty View Post
          If 'twere me, I would allocate a subnet for "NAT" purposes on the ASA and ask the other network to allow that entire subnet. Gives a bit more flexibility in future.

          If that's not an option then I think you'd need to re-address the servers so the "permitted" IP address isn't in use on the LAN and then do the NAT on the ASA (i.e. move that IP address onto the firewall), assuming all traffic to that other network goes through the ASA. But that might bugger up anything else internal which already uses the permitted IP address to get to that server.
          I'm too scared lol!!

          Think we ought to do it properly, i.e. get the local IP's allowed at the other end even if it means a long drawn out process......

          Comment


            #6
            Originally posted by stek View Post
            I'm too scared lol!!

            Think we ought to do it properly, i.e. get the local IP's allowed at the other end even if it means a long drawn out process......
            If the "other network" is 3rd party then best to create a completely separate IP range (e.g. 172.16.x.x if the LAN uses 10.y.y.y) living on the firewall used for all traffic to 3rd parties and use NAT to hide behind that range. Easy to make changes, hides your internal addressing and avoids any issues around overlaps, routing, etc.

            Haven't you got a network architect there who can knock that together? I know a good one if you need, re-assuringly expensive too
            Last edited by smatty; 29 September 2015, 07:02.

            Comment


              #7
              Originally posted by stek View Post
              I've tried all forms of 'route add -host x.x.x.x -interface x.x.x.x to no avail - I think Im struggling with the fact the ping/telnet queries I'm using to test don't know how to get back to Host A.
              Network Address Translation (NAT) - like what ADSL routers do so that web server replies can find their way back to your private LAN.

              For Linux it would be https://www.google.co.uk/?q=iptables+masquerade+SNAT. Not sure about AIX.

              Comment


                #8
                Originally posted by Contreras View Post
                Network Address Translation (NAT) - like what ADSL routers do so that web server replies can find their way back to your private LAN.

                For Linux it would be https://www.google.co.uk/?q=iptables+masquerade+SNAT. Not sure about AIX.
                Yeah I'm natting on an ASA (and patting) but I'm a scared of it to be honest, I'm not a network guy and we haven't got anyone else apart from the woman who makes the tea.

                It's ipfilters for AIX but as this box does other things I'm a bit wary of frigging it.

                Comment

                Working...
                X