NAT source based on destination... per request?

Discussion in 'Cisco' started by 1388-2/HB, Feb 22, 2007.

  1. 1388-2/HB

    1388-2/HB Guest

    As traffic comes in over my T1 into a cisco 1700 series, I'm NATing the
    outside source based on the inside destination. In other words if joe
    internet is trying to get to my server at x.y.z.5, the cisco will NAT joe
    internet's IP so the rest of my inside network thinks he came from 5.a.b.c.

    And it's working, but... in an understandable attempt at efficiency, the
    existance of a NAT entry for the source IP apparently trumps any access-list
    processing in the cisco. Even tho it was a *desination based* decision to
    create the entry in the first place, now joe internet is no longer going to
    that destination but the entry is still being used anyway.

    Unfortunately, x.y.z.5 exists on the same server as x.y.z.6, and this server
    has been told that if a request comes from 5.a.b.c, it is to send the
    response out through host x.y.z.5. Otherwise, replies via x.y.z.6.

    The "problem" presents itself when joe internet requests x.y.z.5 *before* he
    requests x.y.z.6. On the first request for .5 he gets NATed and receives a
    response from .5 and all is well. Then if he subsequently requests .6, he
    gets nothing, because the NAT entry still exists, he gets NATed, and the
    responding server says "oh, this guy came from 5.a.b.c" and dutifly replies
    to his .6 request via the .5 host.

    I know I can fix this by simply running the .5 and .6 hosts on seperate
    machines - but that would be giving up! Plus I would have to
    buy/build/license a seperate machine for something that gets like 100 hits a
    month.

    Is there any way to tell the cisco that a request for .5 get source natted
    but absolutely, positively, NO other requests get natted? Is there a way to
    tell the cisco to check the access-list with *every* request even if it's
    not the most efficient thing to do? I'm not dealing with a lot of traffic
    here.
     
    1388-2/HB, Feb 22, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. shinhyuk
    Replies:
    5
    Views:
    9,073
    ishi_us
    May 22, 2009
  2. Dave
    Replies:
    0
    Views:
    1,605
  3. Sorin Platon

    NAT based on destination

    Sorin Platon, Sep 13, 2004, in forum: Cisco
    Replies:
    3
    Views:
    20,104
    Walter Roberson
    Sep 14, 2004
  4. Replies:
    1
    Views:
    5,699
    mcaissie
    Aug 31, 2006
  5. tomasek
    Replies:
    1
    Views:
    4,601
    Greeley
    Dec 16, 2007
Loading...

Share This Page