NAT source based on destination... per request?

Discussion in 'Cisco' started by 1388-2/HB, Feb 22, 2007.

  1. 1388-2/HB

    1388-2/HB Guest

    As traffic comes in over my T1 into a cisco 1700 series, I'm NATing the
    outside source based on the inside destination. In other words if joe
    internet is trying to get to my server at x.y.z.5, the cisco will NAT joe
    internet's IP so the rest of my inside network thinks he came from 5.a.b.c.

    And it's working, but... in an understandable attempt at efficiency, the
    existance of a NAT entry for the source IP apparently trumps any access-list
    processing in the cisco. Even tho it was a *desination based* decision to
    create the entry in the first place, now joe internet is no longer going to
    that destination but the entry is still being used anyway.

    Unfortunately, x.y.z.5 exists on the same server as x.y.z.6, and this server
    has been told that if a request comes from 5.a.b.c, it is to send the
    response out through host x.y.z.5. Otherwise, replies via x.y.z.6.

    The "problem" presents itself when joe internet requests x.y.z.5 *before* he
    requests x.y.z.6. On the first request for .5 he gets NATed and receives a
    response from .5 and all is well. Then if he subsequently requests .6, he
    gets nothing, because the NAT entry still exists, he gets NATed, and the
    responding server says "oh, this guy came from 5.a.b.c" and dutifly replies
    to his .6 request via the .5 host.

    I know I can fix this by simply running the .5 and .6 hosts on seperate
    machines - but that would be giving up! Plus I would have to
    buy/build/license a seperate machine for something that gets like 100 hits a
    month.

    Is there any way to tell the cisco that a request for .5 get source natted
    but absolutely, positively, NO other requests get natted? Is there a way to
    tell the cisco to check the access-list with *every* request even if it's
    not the most efficient thing to do? I'm not dealing with a lot of traffic
    here.
     
    1388-2/HB, Feb 22, 2007
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.