cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2157
Views
5
Helpful
7
Replies

NAT translation multiple source to same destination IP/Port

vibi83hrha
Level 1
Level 1

I have a requirement to translate 2 internal servers (primary/secondary) which resides in inside zone, to be translated to ONE IP, ONE port. 

For e.g. 10.10.10.1 and 10.10.10.2 are internal servers. But they will not access at same time, because they are configured in Active/Standby. Regardless of who is active, when they talk to outside, source IP should be translated to 10.20.20.1 and source port should be 5000. I understand below nat commands are not supported. 

ip nat inside source tcp 10.10.10.1 5000 10.20.20.1 5000

ip nat inside source tcp 10.10.10.2 5001 10.20.20.1 5000 

 

If i flip the "ip nat inside" and "ip nat outside", below command may be accepted by the router. But there are other services using nat and hence cannot change this. 

 

ip nat outside source tcp 10.10.10.1 5000 10.20.20.1 5000

ip nat outside source tcp 10.10.10.2 5001 10.20.20.1 5000 

 

Is there any other way we can achieve this, using dynamic IP or "no-payload", or any other methods? 

1 Accepted Solution

Accepted Solutions

Hello


@vibi83hrha wrote:

, will the below 2 commands achieve what i am after. 

 

ip nat outside source tcp 10.10.10.1 5000 10.20.20.1 5000

ip nat outside source tcp 10.10.10.2 5001 10.20.20.1 5000 


No this won’t work as not only are you specifying the wrong outside host addressing you have the same tcp port in both nat statements.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

7 Replies 7

Hello

You could try and use destination NAT for this.

Example:
access-list 100 permit tcp host 10.20.20.1 any eq 5000
access-list 100 permit tcp any host 10.20.20.1 eq 5000
ip nat pool DNAT 10.10.10.1 10.10.10.2 prefix-length 24 type rotary
ip nat inside destination 100 pool DNAT


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello Paul, Thanks for your reply. 

Will your solution require me to initiate connection from outside? I understand "ip nat destination" are not bidirectional (unlike static) and also it changes the destination header only if the connection initiates from outside? Anyway i will try this out. 

Hello

 


@vibi83hrha wrote:

Hello Paul, Thanks for your reply. 

Will your solution require me to initiate connection from outside? I understand "ip nat destination" are not bidirectional (unlike static) and also it changes the destination header only if the connection initiates from outside? Anyway i will try this out. 


Isn’t this what you want, Initiation from an outside host to a single nattted address which will then hit either of those internal hosts?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul, 

No. My requirement was to initiate connection from inside. Thanks for your support anyway. 

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @vibi83hrha ,

with double NAT is usually intended a case when both the source address and the destination address needs to be translated.

 

you would like to NAT two different IP and TCP ports to the same outside IP and TCP port.

This is not supported as you have noted in your initial post.

So you would need to use:

a) an IP SLA using a TCP probe to check the state of the primary server

b) two EEM scripts one that is triggered by failure of the IP SLA of primary server to change the configuration on the fly removing one nat static command and adding the other one. And another script for when the primary server comes back online to remove the nat static and configure the new one.

 

The biggest issue I see besides complexity is that NAT translations are not preserved at each switchover and this would have an impact on users.

 

It would be much more easy if the two servers could answer to a virtual IP address that is always the same like in a cluster or by putting a load balancer in front of them.

In this way the NAT statement would be only one and there wouldn't be any issue with server switchover.

 

You can try to ask for this to the colleagues or customer that manages the servers.

 

Hope to help

Giuseppe

 

Hello Giuseppe, 

OK. make sense. 

 

Just to confirm. If i am able to swap "ip nat inside" and "ip nat outside" on both interfaces, will the below 2 commands achieve what i am after. 

 

ip nat outside source tcp 10.10.10.1 5000 10.20.20.1 5000

ip nat outside source tcp 10.10.10.2 5001 10.20.20.1 5000 

Hello


@vibi83hrha wrote:

, will the below 2 commands achieve what i am after. 

 

ip nat outside source tcp 10.10.10.1 5000 10.20.20.1 5000

ip nat outside source tcp 10.10.10.2 5001 10.20.20.1 5000 


No this won’t work as not only are you specifying the wrong outside host addressing you have the same tcp port in both nat statements.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: