ColdFusion Muse

Arcane Networking Tip Number 702 - Non-Static Mapped IPs

This falls along the lines of one of those tips that matters only to sys admins, firewall managers or network engineers. So if you aren't a networking geek (or don't aspire to become one) you can skip this tip. Here's the skinny.

When setting up a windows server I like to use an "internal only" IP address - one that is not statically NAT'ted to anything - as the source IP address. In most cases this means the IP address presented when making outgoing requests is the external address of the firewall instead of the "real static" ip. If you don't know what I mean by source IP, remote into your server and use a brower to go to what is my ip. Whatever it gives you back is your "source" IP address - the IP presented by outgoing requests. In fact if you check your source IP from your desktop in a typical corporate office and then go to a neighbor's computer and check it there it there you will likely see the same IP address. This is because most desktops sit behind a firewall and the firewall has an assigned IP address that it presents as the "source" IP for most traffic. And that "external firewall address" is also the one I often choose to use for outgoing traffic from a server.

Ok, so why is that a problem? Well a server is a little different. In most cases it will have one or more IPs that are "statically mapped" to its own live internet ips. For example, let's say the DNS record for www.example.com is pointed to 72.10.20.10. "Inside" the network the server actually has an IP of 192.168.10.10. When web traffic hits the firewall for the "external" address (72.10.20.10) it looks at its translation table and knows that the "inside" address that "equals" 72.10.20.10 is actually 192.168.10.10 - and then it checks to see if the traffic is allowed (that's the "firewall" function of a firewall) and forwards the traffic to port 80 on 192.168.10.10. That's "network address translation" to a "statically mapped ip address" (whew!!). Ok, take a drink of water - the dizziness will pass momentarily.

Now for a variety of reasons I often don't want the IP address that the server presents when making outgoing connections to be "statically mapped". Instead I often prefer it to present the outside IP address of the firewall (as a sort of a generic proxy for my whole network). That used to be pretty easy. In Windows server 2000 and 2003 that was easy. I would just make sure that the first IP address I added (the one that you actually "see" in the little network IP properties window before you click on "advanced" - was a non-statically mapped IP. All outgoing traffic would "choose" this first IP by default and Voila! I have the results I was looking for. Then I could just add my other "statically mapped" IPs in the advanced tab and move on.

With Windows 2008r2 however this source IP address can switch to one of the other IPs in the pool. So even though I added my non-static IP first eventually my server might switch to using the statically mapped IP. This is probably only an annoyance for me. But if you are one of the tiny minority of people who geek out over such things here is the solution.

The Fix

In order to get the behavior you want you start out the same. Add your non-static IP as the first IP address per usual. Then instead of adding additional IPs using the "advanced" tab, open a command line and use netsh to add them with the netsh command and the "skipassource=true" flag. It's that "skipassource" flag that does the magic. Here's the syntax for you.

netsh int ipv4 add address network_1 192.168.10.10 255.255.255.0 skipassource=true

One note - the label network_1 in the syntax above is the "name" of the adapter or "network" you are adding to. You can find this in network properties. By default it is "Local Area Connection" but I always rename it to something without spaces so I don't have to do too much head scratching (with quotes? without quotes? single quotes?). If you add your subsequent IPs like this from the command line using the skipassourceflag then your "non-static" IP will always be the default preferred IP for outgoing traffic. Hope this is of use to someone. Happy coding.

Comments
Snake's Gravatar A handy tip muse, but you should be aware that having all your servers on the internet with the same IP (the firewalls IP) can cause you some email related issues with RBL's (Realtime Black Lists) and being rejected by mail servers.
Also if the firewall IP gets black listed then this can affected all your servers in one go.
A lot of sys admins think that using NAT makes them more secure, but really it doesn't. All traffic is still being forwarded to the destination server regardless, so any open vulnerabilities will still be there and will still be exploitable, it is only the firewall that protects you regardless of whether you are using static IP's or local NAT.
It is rather like having a front door on your house with no lock, and trying to make it more secure by putting a painting of a locked door in front of it. It is just a façade and anyone that decided to take a closer look would easily see that they can still get to the open door.
If you have a good firewall setup then this will protect your servers regardless of NAT or static IP and also allows you to still completely block servers from the internet where required.
The primary advantage with using NAT it is that you are saving IP addresses, which are running out fast.
# Posted By Snake | 10/26/11 7:08 PM
Mark A Kruger's Gravatar I hear you and I'm aware of these issues. I pointedly don't think I said that my reasons were related to security - and yes I generally exclude email or email relays (or bind relaying specifically by static IP). My reasons are more related to management of IP restricted services and the need to shift resources around easily.

So in the words of Dan Quayle, I stand by all my mistatements :)

But your point is well taken and well put Russ and I don't think I disagree in the slightest. Thanks!
# Posted By Mark A Kruger | 10/26/11 7:17 PM



Blog provided and hosted by CF Webtools. Blog Sofware by Ray Camden.