Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
187
Views
0
Helpful
1
Replies

Destination Nat

emclain
Level 1
Level 1

‎08-14-2002 01:02 PM - edited ‎03-02-2019 12:41 AM

Got a question here that I hope somebody can answer for me. I have the following scenario:

I have 3 dns servers. 2 are live and have valid addresses, one is old and is being taken offline. Because of some hassles with Netsol I cannot take the old server off the listed dns servers for roughly 200 domains. Because of this I need to forward all traffic destined for udp port 53 on the old servers ip address to one of the other servers. Now under linux this was simple:

iptables -t nat -A POSTROUTING -p udp -d 208.62.90.240 --dport 53 -j DNAT --to 208.62.90.234:53

However, we have just replaced our linux router with a cisco 2600 series and no matter what I or anyone else tries it just doesn't work. This is what we have tried thus far:

ip nat inside source static udp 208.62.90.234 53 208.62.90.240 53 extend

on int fast 0/0

ip nat outside

on int fast 0/1

ip nat inside

now what happens is that all traffic for 208.62.90.240 on port 53 is indeed mapped to 208.62.90.234, but traffic for 208.62.90.234 on it's own is lost. I then gave our nameserver another ip address of 208.62.90.253 and did the same ip nat command to that ip. This, however, does not work at all on either machine. If I do a no ip nat inside/outside on the if's I CAN pull queries directly from 208.62.90.253.

Does anyone have the foggiest clue on how to do what I am trying to do?

Thanks,

Ed McLain

Net Admin

HSS

Labels:
0 Helpful
1 Reply 1

daniel.kline
Level 1
Level 1

‎08-20-2002 06:13 PM

I have typically used address translation to translate from an outside global address to a private internal address, but I believe this may work:

ip nat outside source static

- Available beginning with IOS v.11.2

As I said, I have never used this command to translate from one global address to another. But, if this works you can use an access list to filter traffic for a specific port. I don't know if there is a way to translate an address only for a specific tcp port, but you can do port translation.

Then you can apply an inbound access list on the outside interface to allow only port 53 for that specific host:

access-list 101 deny tcp any host neq 53

access-list 101 permit ip any any

- Make sure these commands are in this order

Or, if you prefer, use no access list at all and allow all IP traffic to pass.

Hope this helps,

Dan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents