Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Question about NAT [newbie] - changing dest. address only

Reply
Thread Tools

Question about NAT [newbie] - changing dest. address only

 
 
pawel
Guest
Posts: n/a
 
      01-07-2005
My clients have an access to the network via AS5300. At the moment we need
to change server (where connections are made) so decided to implement that
on the fly (too many users) and switch them to the new server using NAT
(dunno if it is possible). Clients are using application which connects them
to few servers on different ports. So we need to translate their old
destination server address (with destination port) to new server and new
port. But

- when connection is made to old IP address destination address should be
changed to the new one (destination port should be changed too)
- when connection is made to new IP address no chnages should be made.
- client address cannot be changed.

Is that possible to do on one device ? Hope my explanation is clear.

regards

Paul


 
Reply With Quote
 
 
 
 
rave
Guest
Posts: n/a
 
      01-07-2005
i am not clear with the situation here. also i would like to know which
device are you using.
please make the situation more clear with the help of IP's and if
possible a diagram.

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      01-07-2005
In article <crltco$mkl$(E-Mail Removed)>,
pawel <(E-Mail Removed)> wrote:
:My clients have an access to the network via AS5300. At the moment we need
:to change server (where connections are made) so decided to implement that
n the fly (too many users) and switch them to the new server using NAT
dunno if it is possible).

Did the client hosts need to traverse the AS5300 in order to access
the host using the old IP ? And do they still need to traverse the AS5300
to access the new IP ? If so, then static port translation can be used
[provided the AS5300 supports it.]

:Clients are using application which connects them
:to few servers on different ports. So we need to translate their old
:destination server address (with destination port) to new server and new
ort.

OK.

:But
:- when connection is made to old IP address destination address should be
:changed to the new one (destination port should be changed too)

Not a problem if the device has to be traversed.

:- client address cannot be changed.

OK.

:- when connection is made to new IP address no chnages should be made.

That part is tricky. Static PAT runs both ways, so outgoing traffic
from the host would normally have have the source port and address
translated [needs to do so in order that the replies come from
the right place.] If you did a direct connection to the new IP/port,
the return traffic would normally get translated back.

You say that the client address cannot be changed, but I'm not sure
what you mean by that. My first reading of that was that you were
referring to the infeasibility of going around to all the clients
and reconfiguring them in a short time. Now I'm not sure if that's
what you meant.

Would it be permissible that the client address that reached the
server was a translated -source- address for one of the two cases?
If it is, then there are approaches that you can take involving
policy based routing to a loopback interface that translates the source
IP from the client and and does not translate the destination IP and
port for the destination, with the clients that specified the old
IP and port having the destination IP and port translated but the
source IP being left alone. Then when the server replied, the
AS5300 would do policy based routing based upon the destination
address, sending the munged destination IPs through to the loopback
interface to have their destination IP translated back, but
the non-munged destinations would have the source port and IP translated
while the destination IP was left alone.

The main problem with this approach is that any IP logging or reverse
DNS gets mussed, and if you do dynamic port mapping (e.g., all the
source IPs get Port Address Translated to a single IP) then the server
would not be able to start new connections. However, you can get around
several of these issues by having the source addresses each translated
to a unique -static- IP address (with no Port Address Translation):
e.g., you could map 24.25.26.83 to 192.168.26.83 . The traffic
would then easily be trackable to particular hosts, and you can
do reverse IP mapping on the 192.168 form of the IP to get the
same result you would for the 24.25 form, and the server would be
able to start new coonnections back to the originating host
if need be.
--
I don't know if there's destiny,
but there's a decision! -- Wim Wenders (WoD)
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Nat port Forwarding , allows only only some ip rayuthar@gmail.com Cisco 0 04-17-2008 02:21 PM
Dinamyc and static nat whit only one public ip address? mckennan Cisco 2 08-28-2005 03:28 PM
NAT Configuration question: verifying availability before NAT Sri Cisco 0 07-19-2005 02:13 PM
Routing to public IP of NAT address from internal NAT address Andrew Albert Cisco 1 02-08-2005 07:05 PM
Pix 501 and Only 1 IP Address and NAT robert Cisco 1 05-14-2004 09:26 PM



Advertisments