NAT port mapping between one inside server and two outside dhcp interfaces

Discussion in 'Cisco' started by Kevin, Nov 27, 2003.

  1. Kevin

    Kevin Guest

    Hi,

    Here is my problem, I have a cisco 1720 router with 2 external Ethernet(0/1)
    interfaces with dhcp and one internal FastEthernet0,
    my goal is to have the 2 external Ethernet(0/1) interfaces nat map tcp port
    80 to one single server on the inside FastEthernet0 network.

    Inside server IP is 192.168.10.1
    FastEthernet0 interface IP is 192.168.10.254 (ip nat inside)
    Ethernet0 interface IP is dynamic (ip address dhcp) (ip nat outside)
    Ethernet1 interface IP is dynamic (ip address dhcp) (ip nat outside)

    This one works:

    ip nat inside source static tcp 192.168.10.1 80 interface Ethernet0 80

    But I can't add this one:

    ip nat inside source static tcp 192.168.10.1 80 interface Ethernet1 80

    Because I probably should do this instead:

    ip nat inside source static tcp 192.168.10.1 80 <Ethernet0 IP> 80 extendable
    ip nat inside source static tcp 192.168.10.1 80 <Ethernet1 IP> 80 extendable

    But unfortunately Ethernet0/Ethernet1 IPs are both dynamic...

    And "extendable" parameter is not available for the interface syntax...

    How can I set up such a dual nat port mapping with dynamic ip addresses ?

    Thank You !
     
    Kevin, Nov 27, 2003
    #1
    1. Advertising

  2. Kevin

    PES Guest

    > ip nat inside source static tcp 192.168.10.1 80 interface Ethernet0 80
    >
    > But I can't add this one:
    >
    > ip nat inside source static tcp 192.168.10.1 80 interface Ethernet1 80


    This cannot work. Think about the return traffic. It is sourced from
    192.168.10.1 port 80. If you could statically assign both two the nat
    table, which return route would it take? The only thing I think would be
    possible would be to assign two ip addresses on the server. You would then
    likely have to do some sort of policy based nat based on the source address
    for any icmp (like pmtu) or protocols other than what is statically natted
    to work properly. What it sounds like is you want to make your web server
    available by both addresses. Is you router even working properly for that.
    I mean if you ping eth0 does the echo-replies come from this interface or
    e1. What about if you send echo's to e1? You will have to address these
    issues as well.

    > ip nat inside source static tcp 192.168.10.1 80 <Ethernet0 IP> 80

    extendable
    > ip nat inside source static tcp 192.168.10.1 80 <Ethernet1 IP> 80

    extendable

    This would not work either. The router should not accept this command.
     
    PES, Nov 27, 2003
    #2
    1. Advertising

  3. Kevin

    Kevin Guest

    "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in message
    news:3fc55241$...
    > > ip nat inside source static tcp 192.168.10.1 80 interface Ethernet0 80
    > >
    > > But I can't add this one:
    > >
    > > ip nat inside source static tcp 192.168.10.1 80 interface Ethernet1 80

    >
    > This cannot work. Think about the return traffic. It is sourced from
    > 192.168.10.1 port 80. If you could statically assign both two the nat
    > table, which return route would it take?


    In fact it would be no problem, because when NAT would receive a packet from
    the server it would match the server IP/Port and IP/Port of the peer that
    started the connection and it would know where to send it (Ethernet0 or
    Ethernet1).

    "extendable" is the parameter which is meant for that, from the
    documentation:

    ---
    The software does not allow two static translations with the same local
    address, though, because it is ambiguous from the inside. The router will
    accept these static translations and resolve the ambiguity by creating full
    translations (all addresses and ports) if the static translations are marked
    as "extendable". For a new outside-to-inside flow, the appropriate static
    entry will act as a template for a full translation.
    ---

    > The only thing I think would be
    > possible would be to assign two ip addresses on the server.


    Yes, it's my second plan ...

    If anyone has another idea I would rather take it :)

    Thanks!
     
    Kevin, Nov 27, 2003
    #3
  4. Kevin

    PES Guest

    > > > ip nat inside source static tcp 192.168.10.1 80 interface Ethernet1 80
    > >
    > > This cannot work. Think about the return traffic. It is sourced from
    > > 192.168.10.1 port 80. If you could statically assign both two the nat
    > > table, which return route would it take?

    >
    > In fact it would be no problem, because when NAT would receive a packet

    from
    > the server it would match the server IP/Port and IP/Port of the peer that
    > started the connection and it would know where to send it (Ethernet0 or
    > Ethernet1).
    >
    > "extendable" is the parameter which is meant for that, from the
    > documentation:


    True, if it were a fully translated address, the nat table would have all of
    the required paramaters to revers nat the return traffic correctly. I don't
    believe the router will permit this though.
     
    PES, Nov 27, 2003
    #4
  5. On Thu, 27 Nov 2003 06:24:24 +0100, Kevin wrote:

    >> This cannot work. Think about the return traffic. It is sourced from
    >> 192.168.10.1 port 80. If you could statically assign both two the nat
    >> table, which return route would it take?

    >
    > In fact it would be no problem, because when NAT would receive a packet from
    > the server it would match the server IP/Port and IP/Port of the peer that
    > started the connection and it would know where to send it (Ethernet0 or
    > Ethernet1).
    >


    Not true. The router doesn't route traffic based on what's in the nat
    translation table. It routes based on all the normal criteria, picks an
    egress interface and then consults the translation table if it needs to.

    You would have the problem of needing to pick from E0 or E1 to forward
    the return traffic from the server, but not having any information in the
    packet to allow you to make the choice.

    --
    Rgds,
    Martin
     
    Martin Gallagher, Nov 28, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kevin
    Replies:
    1
    Views:
    863
    Walter Roberson
    Nov 10, 2004
  2. Dave
    Replies:
    4
    Views:
    5,330
  3. Yogz
    Replies:
    1
    Views:
    3,223
  4. Jack
    Replies:
    0
    Views:
    743
  5. Ready4Cool
    Replies:
    0
    Views:
    704
    Ready4Cool
    Feb 23, 2011
Loading...

Share This Page