Network Question

I have a question about whether something is 'possible' by default or requires additional setup.

Lets say I have two systems behind a firewall and they are in the same domain and subnet. System 1 has IP 10.1.1.2 and has IIS installed (aka listening to port 80). The other system is just a normal system that has outbound internet traffic.

Should system 2 (The outbound traffic system) be able to hit the external ip and have it redirect to the server running IIS without having to modify any host file or NAT setting?

Here is a topology of what I am taking about:

Should the computer system at 10.1.1.1 be able to hit (either directly with the IP or through a registered dns like my.domain.com) the external ip (69.1.1.1:80) and have it 'resolve'/redirect to the internal server located at 10.1.1.2?

Solution 1:

This is a pretty well known problem. When your internal client accesses the external IP address, dumb-NAT will forward that packet to the server. It looks kind of like this:

10.1.1.2 -> 69.1.1.1:80

At which point the dumb-NAT will rewrite the packet, so what the internal server sees:

10.1.1.2 -> 10.1.1.1:80

So it will reply:

10.1.1.2:80 -> 10.1.1.1

Unfortunately, 10.1.1.2 was expecting a reply from 69.1.1.1, not 10.1.1.1, so it just discards the packet and the connection never completes.

There are a couple ways of handling this, some NAT gateways do this intelligently. Most home router/firewalls don't. But the term for what it is doing is Source-NAT, where the source-address gets rewritten instead of the destination.

Solution 2:

If this a PURE firewall then you could run into problems but in reality most firewalls will act to some degree as a limited router and so yes this should just work. It certainly works on all the firewall/routers I've used. Do you know what your FW is?