Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1484
Views
0
Helpful
1
Replies

Conditional NAT with route-map and 2 destinations IP aka DNS doctoring

lap
Level 2
Level 2

‎06-29-2011 08:54 AM - edited ‎03-04-2019 12:51 PM

Hi Guys,

Our customer want to achieve a special design with NAT. Please see the following drawing:

Silhorko.jpg

As you can see our customer is running lotus notes on a server with IP 192.168.107.11. External user can reach this server via https to 20.10.10.30 thanks to the static NAT (ip nat inside source static tcp 192.168.107.11 443 20.10.10.30 443 extendable).

Internal users (192.168.107.0 /24) goes on the Internet via NAT address 20.10.10.28 thanks to dynamic NAT (ip nat inside source route-map Nat interface GigabitEthernet0/0 overload)

Internal WiFi users (10.90.227.0 /24) goes on the Internet via NAT address 30.10.10.132 thanks to dynamic NAT (ip nat inside source route-map Nat-Wifi pool PublicIP-Wifi overload)

Until now everything works find.

The issue is when internal users (both cable and WiFi) try to reach lotus notes server (192.168.107.11) via 20.10.10.30 on port 443.

So my issue is how can I do a NAT rule that does the following with the NAT rules already configured:

  • When coming from Internal network 192.168.107.0 /24 and destination IP 20.10.10.30 port 443 NAT to 192.168.107.11 otherwise NAT to

GigabitEthernet0/0 IP(20.10.10.28) and overload

  • When coming from internal WiFi network 10.90.227.0 /24 and destination IP 20.10.10.30 port 443 NAT to 192.168.107.11 otherwise NAT to 30.10.10.132 and overload

Anyone has a good idea on how I can best to this litte NAT trick?

Thanks in advance.

Best regards,

Laurent

Labels:
0 Helpful
1 Reply 1

lap
Level 2
Level 2

‎07-16-2011 09:16 AM

Hi,

I have found that what I was looking for was called DNS doctoring and it is a default behavior on a Cisco router. Can be disabled with no-payload at the end of the NAT statement.

DNS doctoring on a router works however only with one-to-one static NAT so you need this type of NAT config:

ip nat inside source static 192.168.100.11 20.20.20.20

So when the router sees a DNS reply with it´s own public IP it will automatically translate that to the internal IP in the DNS reply, here in this case 192.168.100.11.

to disable this behavior you can configure the following:

ip nat inside source static 192.168.100.11 20.20.20.20 no-payload

Hope this helps.

Best regards,

Laurent

0 Helpful
Customers Also Viewed These Support Documents