05-19-2020 02:14 AM - edited 05-19-2020 05:09 AM
I have a requirement to translate 2 internal servers (primary/secondary) which resides in inside zone, to be translated to ONE IP, ONE port.
For e.g. 10.10.10.1 and 10.10.10.2 are internal servers. But they will not access at same time, because they are configured in Active/Standby. Regardless of who is active, when they talk to outside, source IP should be translated to 10.20.20.1 and source port should be 5000. I understand below nat commands are not supported.
ip nat inside source tcp 10.10.10.1 5000 10.20.20.1 5000
ip nat inside source tcp 10.10.10.2 5001 10.20.20.1 5000
If i flip the "ip nat inside" and "ip nat outside", below command may be accepted by the router. But there are other services using nat and hence cannot change this.
ip nat outside source tcp 10.10.10.1 5000 10.20.20.1 5000
ip nat outside source tcp 10.10.10.2 5001 10.20.20.1 5000
Is there any other way we can achieve this, using dynamic IP or "no-payload", or any other methods?
Solved! Go to Solution.
05-19-2020 08:04 AM - edited 05-19-2020 08:05 AM
Hello
@vibi83hrha wrote:
, will the below 2 commands achieve what i am after.
ip nat outside source tcp 10.10.10.1 5000 10.20.20.1 5000
ip nat outside source tcp 10.10.10.2 5001 10.20.20.1 5000
No this won’t work as not only are you specifying the wrong outside host addressing you have the same tcp port in both nat statements.
05-19-2020 04:01 AM
Hello
You could try and use destination NAT for this.
Example:
access-list 100 permit tcp host 10.20.20.1 any eq 5000
access-list 100 permit tcp any host 10.20.20.1 eq 5000
ip nat pool DNAT 10.10.10.1 10.10.10.2 prefix-length 24 type rotary
ip nat inside destination 100 pool DNAT
05-19-2020 04:28 AM
Hello Paul, Thanks for your reply.
Will your solution require me to initiate connection from outside? I understand "ip nat destination" are not bidirectional (unlike static) and also it changes the destination header only if the connection initiates from outside? Anyway i will try this out.
05-19-2020 04:41 AM
Hello
@vibi83hrha wrote:
Hello Paul, Thanks for your reply.
Will your solution require me to initiate connection from outside? I understand "ip nat destination" are not bidirectional (unlike static) and also it changes the destination header only if the connection initiates from outside? Anyway i will try this out.
Isn’t this what you want, Initiation from an outside host to a single nattted address which will then hit either of those internal hosts?
05-19-2020 05:11 AM
Hi Paul,
No. My requirement was to initiate connection from inside. Thanks for your support anyway.
05-19-2020 04:48 AM
Hello @vibi83hrha ,
with double NAT is usually intended a case when both the source address and the destination address needs to be translated.
you would like to NAT two different IP and TCP ports to the same outside IP and TCP port.
This is not supported as you have noted in your initial post.
So you would need to use:
a) an IP SLA using a TCP probe to check the state of the primary server
b) two EEM scripts one that is triggered by failure of the IP SLA of primary server to change the configuration on the fly removing one nat static command and adding the other one. And another script for when the primary server comes back online to remove the nat static and configure the new one.
The biggest issue I see besides complexity is that NAT translations are not preserved at each switchover and this would have an impact on users.
It would be much more easy if the two servers could answer to a virtual IP address that is always the same like in a cluster or by putting a load balancer in front of them.
In this way the NAT statement would be only one and there wouldn't be any issue with server switchover.
You can try to ask for this to the colleagues or customer that manages the servers.
Hope to help
Giuseppe
05-19-2020 05:13 AM
Hello Giuseppe,
OK. make sense.
Just to confirm. If i am able to swap "ip nat inside" and "ip nat outside" on both interfaces, will the below 2 commands achieve what i am after.
ip nat outside source tcp 10.10.10.1 5000 10.20.20.1 5000
ip nat outside source tcp 10.10.10.2 5001 10.20.20.1 5000
05-19-2020 08:04 AM - edited 05-19-2020 08:05 AM
Hello
@vibi83hrha wrote:
, will the below 2 commands achieve what i am after.
ip nat outside source tcp 10.10.10.1 5000 10.20.20.1 5000
ip nat outside source tcp 10.10.10.2 5001 10.20.20.1 5000
No this won’t work as not only are you specifying the wrong outside host addressing you have the same tcp port in both nat statements.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide