Simple solution.
Add the same hardcoded public IP as a secondary IP on the database server.
Add a route to this public IP pointing to the private IP of the database
server on the router.
For Outside users, the router will de-NAT Public IP to private and pass it
onto the server. The fake-public-secondary-IP will not be visible to
internet users, its internal only to the local LAN.
For inside users to reach the fake-secondary public IP, use the default
gateway as the router. Inside users can use reach the database server either
on the secondary-fake-public-ip or the primary-private ip...
IF the users and DB server share the same subnet, the return traffic from DB
server will be directly sent to the users as the DB server will have a
connected route for the user's private IP. IF they are on different VLANs,
DB will route using default gateway as the router.
On Sun, Feb 28, 2010 at 8:33 PM, Tolulope Ogunsina <togunsina_at_gmail.com>wrote:
> Hi,
> I read something on this blog sometime ago which might be of help.
>
> http://ccie-in-3-months.blogspot.com/2008/12/nat-hairpinning-using-nat-pools-pbr.html
>
> HTH,
>
> On 2/28/10, Gregory Gombas <ggombas_at_gmail.com> wrote:
> > Here's a brain teaser for you current and aspiring CCIE's.
> >
> > I have a client which currently has a linksys router which they would
> > like to replace with a Cisco SR520W.
> >
> > They have a simple network with clients and servers on the same inside
> > network that get's NAT'd to a single public IP address on the outside
> > connection to the internet.
> >
> > They have a database server on the inside network that is accessible
> > from both the internet and inside users.
> > The client software has the public IP of the database hard-coded into
> > the application.
> >
> > Clients on the internet can access the database, but clients
> > internally can not. I am positive it is because the NAT fails when a
> > client on the inside tries to connect to the public IP of the server.
> >
> > I found this Cisco document that explains the situation perfectly. In
> > fact, it seems the PIX/ASA supports hairpinning using the alias
> > command:
> >
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml
> >
> > Question:
> > Is there a command on an IOS router that is similar to the PIX alias
> > command that would translate the destination address of the database
> > from the public IP to the internal IP?
> > If not, can this be done with some sort of NAT on a stick or policy
> > based routing?
> >
> > Please note: DNS doctoring, split DNS, or any manipulation of the DNS
> > entry would have no effect here because the public IP of the database
> > server is hard-coded into the client application.
> >
> > Thanks very much,
> > Gregory Gombas
> > CCIE# 19649
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Best Regards,
>
> Tolulope.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Feb 28 2010 - 23:51:11 ART
This archive was generated by hypermail 2.2.0 : Mon Mar 01 2010 - 06:28:36 ART