cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3609
Views
5
Helpful
5
Replies

Traffic redirect using NAT?

jackawang
Level 5
Level 5

I am seeking for idea of setting up a traffic redirect solution in a routed environment. (no firewall involved)

The requirement comes that customer wants us to setup a virtual IP to give out to outside vendor. There are two servers sitting behind the VIP serving traffic. Please note this is NOT a load balancing deployment because only one server is up at a time. Development team wants the freedom of switching between servers without outside vendor's awareness. The interesting part here is that two servers are on different IP subnet in a routed environment. Is it possible to configure NAT where outside IP and inside IP are neither on a router's interface? If no, how can I accomplish this? Thanks in advance.

1 Accepted Solution

Accepted Solutions

Hi Jack

Absolutely and that will work with both NVI and inside/outside domains.

View solution in original post

5 Replies 5

adamclarkuk_2
Level 4
Level 4

Hi

If I an understanding your requirements correctly, then the answer to "Is it possible to configure NAT where outside IP and inside IP are neither on a router's interface" is yes. As long as the VIP you are using traverses the device doing the NAT then you just add you NAT statement. An example using NVI :-

VIP 192.168.1.1

Router "outside Address" 10.0.0.1

Router "inside Address" 172.16.0.1

So, 192.168.1.1 does not on any router and I traslate that address to 1.1.1.1 which also does not exist on any router.

Config of router doing NAT

--------------------------------------------

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

ip nat enable

duplex full

interface FastEthernet1/0

ip address 172.16.0.1 255.255.255.252

ip nat enable

duplex full

speed 100

ip route 1.1.1.1 255.255.255.255 172.16.0.2

ip route 192.168.1.1 255.255.255.255 172.26.0.2

ip route 192.168.1.1 255.255.255.255 172.16.0.2

ip nat source static 1.1.1.1 192.168.1.1

------------------------------------------------

ping from an outside device :-

R0#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 64/117/196 ms

Output of NVI translation :-

R1#sh ip nat nvi translations

Pro Source global Source local Destin local Destin global

--- 192.168.1.1 1.1.1.1 --- ---

icmp 10.0.0.2:31 10.0.0.2:31 192.168.1.1:31 1.1.1.1:31

I think that is what you are after, if not sorry :-s

Thank you very much for your in-depth explanation. NVI solution is a lot easlier than traditional NAT. Can you tell me when I should use NVI instead or legacy NAT when IOS supports both?

You are very welcome, that is what this forum is all about right.

So, in my opinion, both methods have their place but unless you do not know for sure which way the traffic will flow through the router (it can happen) and need to force the inside outside translation, then use NVI. People seem to struggle with inside/outside and if it will be source NAT or destination NAT based on the flow of traffic through the domains, I have attached a very useful NAT link below that describes the order of operation. I have used NVI very successfully within VRF's and the global routing table on a single device where inside/outside failed me due to the fact that the inside and outside interfaces where not in the same VRF, NVI does not care. Because NVI has no knowledge of inside or outside, a statement such as ip nat source static x.x.x.x x.x.x.x could match if the source can from interface 1 or interface 2, this is not the case with inside / outside domains.

So, in a nut shell, if your IOS supports it and you do not need to force a uni directional translation, the use NVI.

Useful NAT links

NAT Order of operation link

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

How NAT works

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml

Dont forget to rate links and mark as complete if your happy ;-)

Hi adamclarkuk,

I have an additional question here. What if the translated IP and the IP being translated(VIP) were in the same subnet? Use the example you gave above, can I make the VIP 1.1.1.5 to be NAT'ed to 1.1.1.1? I know it is very rare case but a lot times user wants a VIP from the same network as the real server. Of course the traffic is coming from outside, through the NAT router.

Hi Jack

Absolutely and that will work with both NVI and inside/outside domains.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco