NAT with extendable keyword


NAT_EXTE

Hi All !

The other day at work I run into an interesting issue with NAT. The company has two connections to the internet , one via ISP 1 and the other via ISP 2 for redundancy. I’m going to use more eye friendly IPs for this set up different from what I was given from both ISP but the principal stays the same. The global of ip addresses I had from ISP 1 was 200.2.2.2 and from ISP 2 was 200.3.3.3 I needed to statically translate our internal Web Server’s IP address 10.1.1.1 to the ones I acquired from both ISPs so when traffic comes from ISP1 it is translated to the IP address supported by ISP 1 and vice versa ISP2

Before most real world implementation I always try and simulate an environment in GNS3 and this time was not different. The idea turned out to be very simple , use an extendable keyword at the end of each NAT command as otherwise IOS will now allow you to have two NAT entries for the same source IP address.

See below config :

R1

interface Loopback0
ip address 10.1.1.1 255.255.255.0
ip nat inside

interface Serial1/0.12 point-to-point
ip address 131.1.12.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
frame-relay interface-dlci 102

interface Serial1/0.13 point-to-point
ip address 131.1.13.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
frame-relay interface-dlci 103

ip nat inside source static 10.1.1.1 200.2.2.2 extendable
ip nat inside source static 10.1.1.1 200.3.3.3 extendable

R2

Rack6R2(config)#do teln 200.2.2.2 Trying 200.2.2.2 … Open

User Access Verification

Password:

R3

Rack6R3(config)#do teln 200.3.3.3 Trying 200.3.3.3 … Open

User Access Verification

Password:

R1

Rack6R1(config)#do debu ip nat

Rack6R1(config)#
*Jan 12 14:34:13.649: NAT*: s=131.1.12.2, d=200.2.2.2->10.1.1.1 [44717]
*Jan 12 14:34:13.649: NAT: s=10.1.1.1->200.2.2.2, d=131.1.12.2 [7639]

Rack6R1(config)#
*Jan 12 14:35:01.825: NAT*: s=131.1.13.3, d=200.3.3.3->10.1.1.1 [8307]
*Jan 12 14:35:01.825: NAT: s=10.1.1.1->200.3.3.3, d=131.1.13.3 [31193]

————————————————————————————————————–

This morning I have received a very interesting question regarding above set up about how would you load-balance or provide resilient ingress connection to the web server if you have 2 different publics?

Well considering that the design is not ideal I guess that the only solution would be :

 

On R1 Acl to match inside global IPs

ip access-list standard NATWEBSERVERS

permit 200.2.2.2

permit 200.3.3.3

 

ip nat pool WEBPOOL 10.1.1.1 10.1.1.1 prefix-length 24 type rotary

ip nat inside destination list NATWEBSERVERS pool WEBPOOL

 

That way for all incoming traffic to the webservers the router would evenly distribute the load to these web servers , see the type rotary keyword at the end of the nat pool statement.

 

 

Enjoy !

Tom

Advertisements

About ccie4all
Hello, and welcome to the first post of my CCIE blog This blog has got one simple goal and that is to improve our skills in Cisco Networking field so we can become best engineers on a job market. Wordpress Blog https://ccie4all.wordpress.com/ information about the changes made to Gns3 BGP , MPLS and R&S CCIE labs. In order to access and download all provided materials and receive important updates from Gns3 BGP , MPLS and R&S CCIE labs under GNS3 tab in the main header please go ahead and subscribe to https://ccie4all.wordpress.com/ ! All other posts have not been affected and can be accessed at any given time. Enjoy ! Tom

3 Responses to NAT with extendable keyword

  1. Steven says:

    Thanks a lot. 🙂

    • ccie4all says:

      You’re more than welcome !

  2. Dipika says:

    Hi,

    I did not understand the point ” how would you load-balance or provide resilient ingress connection to the web server if you have 2 different publics? “.we already have redundancy in place as we have 2 isps and 2 publci ips for webserver and we cannot actually load balance ingress connections , it totally depends on what destination ip is taken in the session initiated for the webserver from the client accessing the webserver , you already have 2 static nats in place with extendable keyword ; then why have you configured”ip nat inside destination list NATWEBSERVERS pool WEBPOOL” . Please explain

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: