Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1119
Views
0
Helpful
2
Replies

Alternative for Hairpinning / DNS static host entry

Alexander Neumann
Level 1
Level 1

‎10-16-2014 02:21 AM

Hello,

I want to reach a server, which resides in LAN D from client LAN A via it´s public IP (Citrix Netscaler) and https.

Both nets have the same default gateway device (Cisco 1921, 15.4(1) with virtual Interfaces).

On this device also the NAT statics for reachablity of the server from outside are configured.

Is there a way to forward packets destined for 93.XXX.XXX.XXX:443 directly to 10.10.1.150 and back from 10.10.0.0/24, without static DNS or host entrys on any device?

 

Config extract:

ip nat inside source static tcp 10.10.1.150 443 93.XXX.XXX.XXX 443 extendable

interface GigabitEthernet0/0
 description *** OUTSIDE ***
 ip address 93.XXX.XXX.XXX 255.255.255.224
 ip nat outside
 ip inspect FW in
 ip inspect FW out

interface GigabitEthernet0/1.2
 description *** LAN A ***
 encapsulation dot1Q 2
 ip address 10.10.0.254 255.255.255.0
 ip nat inside

interface GigabitEthernet0/1.3
 description *** LAN D ***
 encapsulation dot1Q 3
 ip address 10.10.1.254 255.255.255.0
  ip nat inside
 

Help is very much appreciated.

Kind regards

Alex

Labels:
0 Helpful
2 Replies 2

avbaveja
Cisco Employee
Cisco Employee

‎10-20-2014 05:21 PM

Hi Alex,

Hope you are doing well!

Since you are using Citrix Netscaler I wanted to mention a new feature Automated Policy based Routing(APBR) and RISE(Remote Integrated Service Engine)  that is available on Citrix Netscaler which might ease you pain points in configuring services.

Here are some details and links

RISE (Remote Integrated Services Engine) is an innovative, industry-first architecture conceived by the Nexus Services engineering team to seamlessly integrate Nexus switches with appliances offering L2/L3/L4-L7 services. RISE makes the service appliance look like a line card in the Nexus 7K series. This integration allows any appliance to take advantage of the benefits of an in-chassis module such as increased application performance, high application availability, and data center consolidation.
 

RISE press release on Wall Street Journal : http://online.wsj.com/article/PR-CO-20140408-905573.html
RISE At A Glance white paper: http://www.cisco.com/c/dam/en/us/products/collateral/switches/nexus-7000-series-switches/at-a-glance-c45-731306.pdf
RISE announcement blog: http://blogs.cisco.com/datacenter/rise
RISE Video at Interop: https://www.youtube.com/watch?v=1HQkew4EE2g
Cisco RISE page: www.cisco.com/go/rise
Gartner blog on RISE: “Cisco and Citrix RISE to the Occasion”: http://blogs.gartner.com/andrew-lerner/2014/03/31/cisco-and-citrix-rise-to-the-adc-occasion/
 
Please contact us for a demo/presentation/POC. Please send email to nxos-rise@cisco.com.

Thanks

Avni

 

 

0 Helpful

Alexander Neumann
Level 1
Level 1
In response to avbaveja

‎11-10-2014 08:38 AM

Thank you for the answer.

But isn´t there a way to get my ISR Routers (1841/1921) not to NAT addresses, which they hold by there own and have statics configured for?

I´m not willing to change my switch fabric base to Cisco Nexus just to get this issue fixed.

(By the way the Nexus contruct with FEXes that have to transmit all their port traffic forward and back to their parent Nexus instead of passing it directly between their interfaces is just not acceptable)

With an ASA this isn´t a problem at all.

 

Kind regards.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents