Traffic redirect using NAT?

Answered Question
Nov 9th, 2009
User Badges:

I am seeking for idea of setting up a traffic redirect solution in a routed environment. (no firewall involved)


The requirement comes that customer wants us to setup a virtual IP to give out to outside vendor. There are two servers sitting behind the VIP serving traffic. Please note this is NOT a load balancing deployment because only one server is up at a time. Development team wants the freedom of switching between servers without outside vendor's awareness. The interesting part here is that two servers are on different IP subnet in a routed environment. Is it possible to configure NAT where outside IP and inside IP are neither on a router's interface? If no, how can I accomplish this? Thanks in advance.


Correct Answer by adamclarkuk_2 about 7 years 4 months ago

Hi Jack


Absolutely and that will work with both NVI and inside/outside domains.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
adamclarkuk_2 Wed, 11/11/2009 - 03:35
User Badges:
  • Silver, 250 points or more

Hi


If I an understanding your requirements correctly, then the answer to "Is it possible to configure NAT where outside IP and inside IP are neither on a router's interface" is yes. As long as the VIP you are using traverses the device doing the NAT then you just add you NAT statement. An example using NVI :-


VIP 192.168.1.1

Router "outside Address" 10.0.0.1

Router "inside Address" 172.16.0.1


So, 192.168.1.1 does not on any router and I traslate that address to 1.1.1.1 which also does not exist on any router.


Config of router doing NAT


--------------------------------------------

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

ip nat enable

duplex full


interface FastEthernet1/0

ip address 172.16.0.1 255.255.255.252

ip nat enable

duplex full

speed 100


ip route 1.1.1.1 255.255.255.255 172.16.0.2

ip route 192.168.1.1 255.255.255.255 172.26.0.2

ip route 192.168.1.1 255.255.255.255 172.16.0.2



ip nat source static 1.1.1.1 192.168.1.1



------------------------------------------------

ping from an outside device :-

R0#ping 192.168.1.1


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 64/117/196 ms



Output of NVI translation :-

R1#sh ip nat nvi translations

Pro Source global Source local Destin local Destin global

--- 192.168.1.1 1.1.1.1 --- ---

icmp 10.0.0.2:31 10.0.0.2:31 192.168.1.1:31 1.1.1.1:31


I think that is what you are after, if not sorry :-s



jackawang Wed, 11/11/2009 - 19:08
User Badges:

Thank you very much for your in-depth explanation. NVI solution is a lot easlier than traditional NAT. Can you tell me when I should use NVI instead or legacy NAT when IOS supports both?

adamclarkuk_2 Thu, 11/12/2009 - 00:54
User Badges:
  • Silver, 250 points or more

You are very welcome, that is what this forum is all about right.


So, in my opinion, both methods have their place but unless you do not know for sure which way the traffic will flow through the router (it can happen) and need to force the inside outside translation, then use NVI. People seem to struggle with inside/outside and if it will be source NAT or destination NAT based on the flow of traffic through the domains, I have attached a very useful NAT link below that describes the order of operation. I have used NVI very successfully within VRF's and the global routing table on a single device where inside/outside failed me due to the fact that the inside and outside interfaces where not in the same VRF, NVI does not care. Because NVI has no knowledge of inside or outside, a statement such as ip nat source static x.x.x.x x.x.x.x could match if the source can from interface 1 or interface 2, this is not the case with inside / outside domains.


So, in a nut shell, if your IOS supports it and you do not need to force a uni directional translation, the use NVI.



Useful NAT links

NAT Order of operation link

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml


How NAT works

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml



Dont forget to rate links and mark as complete if your happy ;-)

jackawang Thu, 11/12/2009 - 09:19
User Badges:

Hi adamclarkuk,

I have an additional question here. What if the translated IP and the IP being translated(VIP) were in the same subnet? Use the example you gave above, can I make the VIP 1.1.1.5 to be NAT'ed to 1.1.1.1? I know it is very rare case but a lot times user wants a VIP from the same network as the real server. Of course the traffic is coming from outside, through the NAT router.


Correct Answer
adamclarkuk_2 Thu, 11/12/2009 - 09:41
User Badges:
  • Silver, 250 points or more

Hi Jack


Absolutely and that will work with both NVI and inside/outside domains.

Actions

This Discussion