SNAT and DNAT

[jonw757]

I was just wondering on most advanced network equipment or basic, stuff that supports 25-50k plus concurrent users, is it possible to configure Source NAT and Destination NAT on the same device. No I dont do networking I am just trying to figure out if what im thinking, that this should be fine to do, is true or not. Our networking group is telling me that our load balancers only do DNAT. Sorry I do not know which exact models but I am assuming this should be a pretty standard thing.

 

[atomiser]

our netscreen firewall kit (from the baby 5gt's right up to the isg2000's) is extremely flexible with it's address translation options - can do source translation, destination translation, can do 1:1, 1:many, can do range to range translation, can do it at the interface level, at the individual policy level...pretty much anything you want really!

 

[jonw757]

So then its just the network team here... awesome

 

[Captain Colonoscopy]

So then its just the network team here... awesome

more than likely that is the case. Sometimes people just don't want to mess with stuff when it is working or they just don't know what the capabilities of their equipment are let alone how to implement them.

 

[jonw757]

So is this something that can be done with a Cisco CSS?

 

[Captain Colonoscopy]

Cisco CSS?

 

[jonw757]

http://www.cisco.com/en/US/products/hw/contnetw/ps792/

 

[jonw757]

bump

if anyone ever comes across this I found an article that has the commands to run SNAT on a CSS

To change the above configuration to SNAT, the VIP will have to be changed to an IP on the same subnet as the servers and the following will be added to the config on the CSS.

SNAT Config

service LCS_1 <===== What you are load balancing to (i.e. application, protocol, IP, etc)
ip address 172.17.22.75
protocol tcp
keepalive type tcp <====== Protocol used for the health check. What determines if the app, etc is available.
keepalive port 5060 < ====== Port used for the health check. If not available, it will stop sending traffic to this server
(default every 5 secs. will wait for 3 failures to fail)
active

service LCS_2
ip address 172.17.22.76
protocol tcp
keepalive type tcp
keepalive port 5060
active

owner LCS
content LCS
vip address 172.17.22.77 <==== Note that the VIP is on a different subnet from the servers. This is a requirement for DNAT.
add service LCS_1 <==== Adding the servers we defined above to the VIP
add service LCS_2
protocol tcp <===== Instead of whole IP it is load balancing just TCP. This is optional. You could use UDP or omit this to balance all protocols.
advanced-balance sticky-srcip
balance leastconn <=== Does least connection load balancing
sticky-inact-timeout 600 <=== Cleanup period for stale connections in seconds
active

group LCS_Servers <======= THIS IS THE SOURCE NAT RULE PART
vip address 172.17.22.77
add destination service LCS_1
add destination service LCS_2
active

NOTES: The "add destination service" (under group LCS_Servers) command will NAT the traffic that is heading towards the Server, being load balanced to your servers. All traffic that is incoming to the server will be NATed to the VIP configured.

If you don’t use groups, the servers will see the source ip (clients), but when you use group the source IP will be the VIP address of the group, so the servers will think that the VIP is the IP that is requesting the information, then when the CSS recieves the information from the server, the CSS will send it to the respective client.