I am seeking for idea of setting up a traffic redirect solution in a routed environment. (no firewall involved)
The requirement comes that customer wants us to setup a virtual IP to give out to outside vendor. There are two servers sitting behind the VIP serving traffic. Please note this is NOT a load balancing deployment because only one server is up at a time. Development team wants the freedom of switching between servers without outside vendor's awareness. The interesting part here is that two servers are on different IP subnet in a routed environment. Is it possible to configure NAT where outside IP and inside IP are neither on a router's interface? If no, how can I accomplish this? Thanks in advance.
Solved! Go to Solution.
If I an understanding your requirements correctly, then the answer to "Is it possible to configure NAT where outside IP and inside IP are neither on a router's interface" is yes. As long as the VIP you are using traverses the device doing the NAT then you just add you NAT statement. An example using NVI :-
Router "outside Address" 10.0.0.1
Router "inside Address" 172.16.0.1
So, 192.168.1.1 does not on any router and I traslate that address to 184.108.40.206 which also does not exist on any router.
Config of router doing NAT
ip address 10.0.0.1 255.255.255.252
ip nat enable
ip address 172.16.0.1 255.255.255.252
ip nat enable
ip route 220.127.116.11 255.255.255.255 172.16.0.2
ip route 192.168.1.1 255.255.255.255 172.26.0.2
ip route 192.168.1.1 255.255.255.255 172.16.0.2
ip nat source static 18.104.22.168 192.168.1.1
ping from an outside device :-
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/117/196 ms
Output of NVI translation :-
R1#sh ip nat nvi translations
Pro Source global Source local Destin local Destin global
--- 192.168.1.1 22.214.171.124 --- ---
icmp 10.0.0.2:31 10.0.0.2:31 192.168.1.1:31 126.96.36.199:31
I think that is what you are after, if not sorry :-s
Thank you very much for your in-depth explanation. NVI solution is a lot easlier than traditional NAT. Can you tell me when I should use NVI instead or legacy NAT when IOS supports both?
You are very welcome, that is what this forum is all about right.
So, in my opinion, both methods have their place but unless you do not know for sure which way the traffic will flow through the router (it can happen) and need to force the inside outside translation, then use NVI. People seem to struggle with inside/outside and if it will be source NAT or destination NAT based on the flow of traffic through the domains, I have attached a very useful NAT link below that describes the order of operation. I have used NVI very successfully within VRF's and the global routing table on a single device where inside/outside failed me due to the fact that the inside and outside interfaces where not in the same VRF, NVI does not care. Because NVI has no knowledge of inside or outside, a statement such as ip nat source static x.x.x.x x.x.x.x could match if the source can from interface 1 or interface 2, this is not the case with inside / outside domains.
So, in a nut shell, if your IOS supports it and you do not need to force a uni directional translation, the use NVI.
Useful NAT links
NAT Order of operation link
How NAT works
Dont forget to rate links and mark as complete if your happy ;-)
I have an additional question here. What if the translated IP and the IP being translated(VIP) were in the same subnet? Use the example you gave above, can I make the VIP 188.8.131.52 to be NAT'ed to 184.108.40.206? I know it is very rare case but a lot times user wants a VIP from the same network as the real server. Of course the traffic is coming from outside, through the NAT router.