cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3310
Views
5
Helpful
22
Replies

Multiple Nating - practically

Eng-Ruthless
Level 1
Level 1

Dear Engineers,


Good day!

I have an important technical inquiry and I seek your assistance.

One of the requirements is to perform (SNAT, DNAT) for several servers, but they already have NATing configured. The request is to set up another NATing on a different public IP. Would there be an issue with this, or would it work?

A simple example:

Internal server IP: 10.10.10.10
It goes out to the following public IPs

SNAT1: 55.7.49.1 (already activated previously)
SNAT2: 55.7.49.2
DNAT1: 55.7.49.1 (already activated previously)
DNAT2: 55.7.49.2

--------------------------------------

Also, please note that some servers have DNAT configured but specific to a certain port, and the requirement is on another port. Should I set up a new NAT on the new port correctly?



Best regards.




 

22 Replies 22

Totally correct 

MHM

Hello @MHM Cisco World ,

stateful NAT was a feature present in IOS that used to leverage HSRP groups on inside/outside and the communication between two routers to keep the NAT tables in sync so that when a switchover occurs the NAT entries are already there on the new active router wit no issues for the existing flow sessions.

I tested it in year 2006 .

Later also Stateful IPSec for site to site VPNs was also provided in IOS with the same idea using HSRP groups VIPs on inside/outside and terminating the tunnels on the HSRP VIP of the outside interface.

I have implemented Stateful IPsec on two Cisco 7200 NPE G1 or G2.

Edit:

check the link provided by @paul driver it is the Stateful NAT for IOS 12.4T

I'm not sure but it is not present anymore in IOS XE (stateful NAT I mean)

Hope to help

Giuseppe

 

Hello @Giuseppe Larosa 

 


@Giuseppe Larosa wrote:'m not sure but it is not present anymore in IOS XE (stateful NAT I mean)

You right mate, its B2B nat now , TBH ive never used it to in production, Just on simulation a few times to get to know it


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Dear MHM,

What I meant is not "static NAT and dynamic NAT," but rather SNAT = Source NAT, DNAT = Destination NAT.

SNAT is the standard when I want to translate a private address to a public one so that it can access the internet.

For DNAT, I believe there is another technical term, but it's not coming to mind right now. What I mean is when I have, for example, a server providing a specific service or a website, and I want to link it to a public IP as DNAT, so that users on the internet can access this server.

In short, the DNAT process is the reverse of standard NAT.

Then friend 

--Source NAT SNAT is done by many to one and it dynamic NAT config use 

Ip nat inside source list x interface/pool

So to add more public IP use pool and add two or more public IP

--Destiantion NAT is one to one and it static NAT config by 

Ip nat inside source static tcp/udp/ip

If yoh want more server and have one public IP then instead of use IP use tcp/udp port 

If you want more server and have many public IP then use one server-> one public IP

Note:- sure you will ask can I use same public IP for both case' the answer if you use tcp/udp then yes you can use same public IP for both

if ypu use IP in static NAT then no you can not

MHM

Hello  @MHM Cisco World 



@MHM Cisco World  wrote:
Destiantion NAT is one to one and it static NAT config by 
Ip nat inside source static tcp/udp/ip
If yoh want more server and have one public IP then instead of use IP use tcp/udp port 

FYI - there are may flavour's of NAT so many ways to implement it.
Obviously DNAT is one of them, and as you are aware it allows initiation from external host(s) of a network to connect internally to a network that is "hidden" via translation of it address range,  however it’s definitely not defined to just a single 121 translation as you have stated.

You can indeed have a 121 mapping between a single public ip address and a single internal application server but you can also have a cluster of internal application servers and nat that cluster to a single DNAT public ip address as such traffic flows initiating externally will/can round robin between the server cluster internally.

Example: - Load balance traffic to an internal server cluster via a DNAT public ip 1.1.1.1

Internal server cluster
192.168.1.1/24
192.168.1.2/24
192.168.1.3/24

access-list 1 permit 1.1.1.1

ip nat pool server_cluster 192.168.1.1 192.168.1.3 prefix-length 24 type rotary
ip nat inside destination 1 pool server_cluster


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello @paul driver ,

this use a pool with destination NAT was called "poor man load balancing" in some old  good book because it cannot check if the specific server is providing the service.

However, the OP has replied that with SNAT he/she means Source NAT only.

Hope to help

Giuseppe

 

Hello @Giuseppe Larosa 


@Giuseppe Larosa wrote
:"poor man load balancing"

Never heard that, that's one for the memory bank..


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul