NAT and Multiple public subnets

jesse_driskill · ‎09-28-2006

Hello all,

I think this will be a pretty easy question but wanted to get a second opinion since I've never configured it.

I have several types of servers that will never be contacted by the internet at all... middle-tier and back-end servers. The front end webs of course need to be publicly accessible, but I want to build in an easy migration path to a load-balancer in the future, so I'm giving them proviate IP's as well and plan on using statis NATs to reach them in the meantime. In a few weeks we will also be getting a second public IP allocation, and possibly (probably) a thrard after that from a second ISP. I understand NAT's pretty well and think I know exactly how I need to do this I just haven't before and want to cover my bases.

My questions are:

o Can I use the 'ip nat inside' command on an SVI? I want to place that command on the internal L3 vlan interface that the machines will be using as their default gateway.

o In the future when I have multiple publiuc subnets I will need connections from both of those gettiung to these servers. I want to make sure I can place 'ip nat outside' on the interface to that subnet as well and have NAT's in place for theses servers there. It would require therouter to know whech connections cam in through which interfaces and send replies to that connection back ou the same interface. Doable?

Finally, we will be using BGP to load-balance in bound and outbound connections to both ISP's. Will there be any conflicts with determining which connection the servers packets are sent our since it will have two static NATs defined, one on each interface to the ISP's?

--jesse

mmorris11 · ‎09-28-2006

Answers:

1. No. Switches don't do nat.

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml

2. TCP sessions will correspond to the ip addresses. If you are natting one server with two public addresses you will have issues. The LB algorithms don't care which line the packet came in on when selecting a path back to the source. If you source your server on a different IP address on each path, then the packets that ACK back on a session may or may not have the expected source IP address.

http://www.cisco.com/en/US/customer/tech/tk365/technologies_tech_note09186a0080094820.shtml#perper

HTH pls rate!

jesse_driskill · ‎09-28-2006

1. I used the term 'switch' loosely. In reality this is a 6509 w/dual Sup 720's. The sups are handling routing and should fully capable of pretty much everything I want to do.

2. I understand that TCP sessions correspnd to IP addresses. The question is: Is IOS smart enough to realize that a conneciton came in on interface 6/1 AND WAS NATTED, so it has to go back out through the same interface.

The 'Background' section of this articel implies that is is possible since a translation already exists and would match the traffic being replied to:

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

So am I interpreting the info above incorrectly?

--jesse

jesse_driskill · ‎09-28-2006

...and in case I am interpretting the info incorrectly:

o How do most organization handle having one set of servers that need to respond to connection coming from multiple ISPs?

o Do they advertize one IP space out through both ISP's with BGP?

o What happens if they have multiple subnets and multiple ISPs?

I'm sure you see where I'm going with this. If there's a doc or something I'm more than happy to read it, I just haven't been introduced to the problem before. This is why experience trumps tests, including the CCNP.

thanks,

--jesse

tdrais · ‎09-28-2006

First on BGP and ISP's.

In general you must have your own registered IP blocks and AS number to get multiple ISP's to advertise out the same range of IP addresses. Very rarely can you get ISP1 to advertise out a blocked owned by ISP2. In general you will advertise out all your blocks on all your ISP's. In some cases if you want to force traffic over one link and modifing the AS path does not work you may end up only advertising over 1 ISP. Normally you can get traffic to flow the way you want with ASPATH.

On NAT question you have a couple of issues. The first being how will a outside user know that both the external nat addresses go to the same server. There are tricky DNS things that can be done to use both. If you manage to do that you get to the problem you mentioned. The router is not smart enough to know which nat translation the packet came in on. One solution I have seen recommended is to put multiple IP's on the server. You can then nat the 2 external nat addresses to different inside addresses. You could then use policy routing to forece the traffic to return correctly.

mmorris11 · ‎09-28-2006

Jesse,

You know what may work in this situation is that you policy route the traffic coming from the server where if it uses ip address A as a source, it uses path A and so on. Because your load distribution for the server will come from DNS round robin or the like. Then your other outbound traffing could LB using per destination. This is nothing I have tried but just an idea.

-mike

jesse_driskill · ‎09-28-2006

Thanks much for the responses. They make great sense and using tow IP's on the server is a great idea. (I can't believe I didn't think of that... shameful).

In bringing up the difficulty here was able to get the powers to be to see that two IP blocks and two providers isn't a good idea. (Mainly because I can see that myself now).

We're submitting for an IP block from ARIN to resolve the issue in a more conventional manner.

Thanks much,

--jesse