08-27-2024 01:41 PM
Dear Engineers,
Good day!
I have an important technical inquiry and I seek your assistance.
One of the requirements is to perform (SNAT, DNAT) for several servers, but they already have NATing configured. The request is to set up another NATing on a different public IP. Would there be an issue with this, or would it work?
A simple example:
Internal server IP: 10.10.10.10
It goes out to the following public IPs
SNAT1: 55.7.49.1 (already activated previously)
SNAT2: 55.7.49.2
DNAT1: 55.7.49.1 (already activated previously)
DNAT2: 55.7.49.2
--------------------------------------
Also, please note that some servers have DNAT configured but specific to a certain port, and the requirement is on another port. Should I set up a new NAT on the new port correctly?
08-28-2024 05:54 AM
Totally correct
MHM
08-28-2024 05:56 AM - edited 08-28-2024 06:03 AM
Hello @MHM Cisco World ,
stateful NAT was a feature present in IOS that used to leverage HSRP groups on inside/outside and the communication between two routers to keep the NAT tables in sync so that when a switchover occurs the NAT entries are already there on the new active router wit no issues for the existing flow sessions.
I tested it in year 2006 .
Later also Stateful IPSec for site to site VPNs was also provided in IOS with the same idea using HSRP groups VIPs on inside/outside and terminating the tunnels on the HSRP VIP of the outside interface.
I have implemented Stateful IPsec on two Cisco 7200 NPE G1 or G2.
Edit:
check the link provided by @paul driver it is the Stateful NAT for IOS 12.4T
I'm not sure but it is not present anymore in IOS XE (stateful NAT I mean)
Hope to help
Giuseppe
08-28-2024 06:06 AM
Hello @Giuseppe Larosa
@Giuseppe Larosa wrote:'m not sure but it is not present anymore in IOS XE (stateful NAT I mean)
You right mate, its B2B nat now , TBH ive never used it to in production, Just on simulation a few times to get to know it
08-28-2024 10:19 AM
Dear MHM,
What I meant is not "static NAT and dynamic NAT," but rather SNAT = Source NAT, DNAT = Destination NAT.
SNAT is the standard when I want to translate a private address to a public one so that it can access the internet.
For DNAT, I believe there is another technical term, but it's not coming to mind right now. What I mean is when I have, for example, a server providing a specific service or a website, and I want to link it to a public IP as DNAT, so that users on the internet can access this server.
In short, the DNAT process is the reverse of standard NAT.
08-28-2024 10:34 AM
Then friend
--Source NAT SNAT is done by many to one and it dynamic NAT config use
Ip nat inside source list x interface/pool
So to add more public IP use pool and add two or more public IP
--Destiantion NAT is one to one and it static NAT config by
Ip nat inside source static tcp/udp/ip
If yoh want more server and have one public IP then instead of use IP use tcp/udp port
If you want more server and have many public IP then use one server-> one public IP
Note:- sure you will ask can I use same public IP for both case' the answer if you use tcp/udp then yes you can use same public IP for both
if ypu use IP in static NAT then no you can not
MHM
08-28-2024 12:23 PM - edited 08-28-2024 09:00 PM
Hello @MHM Cisco World
@MHM Cisco World wrote:
Destiantion NAT is one to one and it static NAT config by
Ip nat inside source static tcp/udp/ip
If yoh want more server and have one public IP then instead of use IP use tcp/udp port
FYI - there are may flavour's of NAT so many ways to implement it.
Obviously DNAT is one of them, and as you are aware it allows initiation from external host(s) of a network to connect internally to a network that is "hidden" via translation of it address range, however it’s definitely not defined to just a single 121 translation as you have stated.
You can indeed have a 121 mapping between a single public ip address and a single internal application server but you can also have a cluster of internal application servers and nat that cluster to a single DNAT public ip address as such traffic flows initiating externally will/can round robin between the server cluster internally.
Example: - Load balance traffic to an internal server cluster via a DNAT public ip 1.1.1.1
Internal server cluster
192.168.1.1/24
192.168.1.2/24
192.168.1.3/24
access-list 1 permit 1.1.1.1
ip nat pool server_cluster 192.168.1.1 192.168.1.3 prefix-length 24 type rotary
ip nat inside destination 1 pool server_cluster
08-29-2024 08:15 AM
Hello @paul driver ,
this use a pool with destination NAT was called "poor man load balancing" in some old good book because it cannot check if the specific server is providing the service.
However, the OP has replied that with SNAT he/she means Source NAT only.
Hope to help
Giuseppe
08-29-2024 08:47 AM
Hello @Giuseppe Larosa
@Giuseppe Larosa wrote
:"poor man load balancing"
Never heard that, that's one for the memory bank..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide