Re: Hairpin NAT on a Cisco IOS Router? from garry baker on 2010-02-28 (Ccielab archives /201002)

From: garry baker <baker.garry_at_gmail.com>
Date: Sun, 28 Feb 2010 19:21:59 +0300

do not know if this is the answer to your problem but doesnt the 'new NVI'
nat interface change up the order of operation when doing nat, no more
'inside' or 'outside' interface:

http://www.cisco.com/en/US/customer/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1084189

http://blog.internetworkexpert.com/2008/02/15/the-inside-and-outside-of-nat/

i remember also this was a discussion not too long ago on groupstudy also
along this same line:
http://www.groupstudy.com/form/read.php?f=7&i=137240&t=137232

On Sun, Feb 28, 2010 at 6:31 PM, Gregory Gombas <ggombas_at_gmail.com> wrote:

> Here's a brain teaser for you current and aspiring CCIE's.
>
> I have a client which currently has a linksys router which they would
> like to replace with a Cisco SR520W.
>
> They have a simple network with clients and servers on the same inside
> network that get's NAT'd to a single public IP address on the outside
> connection to the internet.
>
> They have a database server on the inside network that is accessible
> from both the internet and inside users.
> The client software has the public IP of the database hard-coded into
> the application.
>
> Clients on the internet can access the database, but clients
> internally can not. I am positive it is because the NAT fails when a
> client on the inside tries to connect to the public IP of the server.
>
> I found this Cisco document that explains the situation perfectly. In
> fact, it seems the PIX/ASA supports hairpinning using the alias
> command:
>
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml
>
> Question:
> Is there a command on an IOS router that is similar to the PIX alias
> command that would translate the destination address of the database
> from the public IP to the internal IP?
> If not, can this be done with some sort of NAT on a stick or policy
> based routing?
>
> Please note: DNS doctoring, split DNS, or any manipulation of the DNS
> entry would have no effect here because the public IP of the database
> server is hard-coded into the client application.
>
> Thanks very much,
> Gregory Gombas
> CCIE# 19649
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Feb 28 2010 - 19:21:59 ART

This archive was generated by hypermail 2.2.0 : Mon Mar 01 2010 - 06:28:36 ART