Question about NAT [newbie] - changing dest. address only

Discussion in 'Cisco' started by pawel, Jan 7, 2005.

  1. pawel

    pawel Guest

    My clients have an access to the network via AS5300. At the moment we need
    to change server (where connections are made) so decided to implement that
    on the fly (too many users) and switch them to the new server using NAT
    (dunno if it is possible). Clients are using application which connects them
    to few servers on different ports. So we need to translate their old
    destination server address (with destination port) to new server and new
    port. But

    - when connection is made to old IP address destination address should be
    changed to the new one (destination port should be changed too)
    - when connection is made to new IP address no chnages should be made.
    - client address cannot be changed.

    Is that possible to do on one device ? Hope my explanation is clear.

    regards

    Paul
    pawel, Jan 7, 2005
    #1
    1. Advertising

  2. pawel

    rave Guest

    i am not clear with the situation here. also i would like to know which
    device are you using.
    please make the situation more clear with the help of IP's and if
    possible a diagram.
    rave, Jan 7, 2005
    #2
    1. Advertising

  3. In article <crltco$mkl$>,
    pawel <> wrote:
    :My clients have an access to the network via AS5300. At the moment we need
    :to change server (where connections are made) so decided to implement that
    :eek:n the fly (too many users) and switch them to the new server using NAT
    :(dunno if it is possible).

    Did the client hosts need to traverse the AS5300 in order to access
    the host using the old IP ? And do they still need to traverse the AS5300
    to access the new IP ? If so, then static port translation can be used
    [provided the AS5300 supports it.]

    :Clients are using application which connects them
    :to few servers on different ports. So we need to translate their old
    :destination server address (with destination port) to new server and new
    :port.

    OK.

    :But
    :- when connection is made to old IP address destination address should be
    :changed to the new one (destination port should be changed too)

    Not a problem if the device has to be traversed.

    :- client address cannot be changed.

    OK.

    :- when connection is made to new IP address no chnages should be made.

    That part is tricky. Static PAT runs both ways, so outgoing traffic
    from the host would normally have have the source port and address
    translated [needs to do so in order that the replies come from
    the right place.] If you did a direct connection to the new IP/port,
    the return traffic would normally get translated back.

    You say that the client address cannot be changed, but I'm not sure
    what you mean by that. My first reading of that was that you were
    referring to the infeasibility of going around to all the clients
    and reconfiguring them in a short time. Now I'm not sure if that's
    what you meant.

    Would it be permissible that the client address that reached the
    server was a translated -source- address for one of the two cases?
    If it is, then there are approaches that you can take involving
    policy based routing to a loopback interface that translates the source
    IP from the client and and does not translate the destination IP and
    port for the destination, with the clients that specified the old
    IP and port having the destination IP and port translated but the
    source IP being left alone. Then when the server replied, the
    AS5300 would do policy based routing based upon the destination
    address, sending the munged destination IPs through to the loopback
    interface to have their destination IP translated back, but
    the non-munged destinations would have the source port and IP translated
    while the destination IP was left alone.

    The main problem with this approach is that any IP logging or reverse
    DNS gets mussed, and if you do dynamic port mapping (e.g., all the
    source IPs get Port Address Translated to a single IP) then the server
    would not be able to start new connections. However, you can get around
    several of these issues by having the source addresses each translated
    to a unique -static- IP address (with no Port Address Translation):
    e.g., you could map 24.25.26.83 to 192.168.26.83 . The traffic
    would then easily be trackable to particular hosts, and you can
    do reverse IP mapping on the 192.168 form of the IP to get the
    same result you would for the 24.25 form, and the server would be
    able to start new coonnections back to the originating host
    if need be.
    --
    I don't know if there's destiny,
    but there's a decision! -- Wim Wenders (WoD)
    Walter Roberson, Jan 7, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Captain
    Replies:
    11
    Views:
    740
    Barry Margolin
    May 11, 2004
  2. joeblow
    Replies:
    2
    Views:
    608
    AnyBody43
    Jun 10, 2004
  3. Sri
    Replies:
    0
    Views:
    662
  4. Sri
    Replies:
    0
    Views:
    518
  5. Andrew Albert
    Replies:
    1
    Views:
    3,847
    Rod Dorman
    Feb 8, 2005
Loading...

Share This Page