Sunday, February 1, 2009

TCP Load Balancing, Destination NAT

The "ip nat inside destination" command can be used to split up the load from what looks like one global destination, to several inside hosts. This behaves very much like server load balancing, at least without all the health checks.

Below is the topology. I have static default routes from R1, R2, and R3 pointing to R4. R7 has a static route to each serial link.


Here is R4's config:

interface FastEthernet0/0
ip address 192.168.0.4 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial1/0
ip address 192.168.45.4 255.255.255.0
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
serial restart-delay 0
!
interface Serial1/1
ip address 192.168.46.4 255.255.255.0
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 192.168.45.5
ip route 0.0.0.0 0.0.0.0 192.168.46.6
!
ip nat pool POOL 192.168.0.1 192.168.0.3 prefix-length 24 type rotary
ip nat inside destination list 10 pool POOL
!
access-list 10 permit 192.168.45.10
access-list 10 permit 192.168.46.10

From R7 we will verify:

R7#telnet 192.168.45.10
Trying 192.168.45.10 ... Open

R1>
R1>exit

[Connection to 192.168.45.10 closed by foreign host]
R7#telnet 192.168.45.10
Trying 192.168.45.10 ... Open

R2>exit

[Connection to 192.168.45.10 closed by foreign host]
R7#telnet 192.168.45.10
Trying 192.168.45.10 ... Open

R3>exit

[Connection to 192.168.45.10 closed by foreign host]
R7#telnet 192.168.46.10
Trying 192.168.46.10 ... Open

R1>exit

[Connection to 192.168.46.10 closed by foreign host]
R7#telnet 192.168.46.10
Trying 192.168.46.10 ... Open

R2>exit

[Connection to 192.168.46.10 closed by foreign host]
R7#

R4's NAT table:

R4#sho ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 192.168.45.10:23 192.168.0.1:23 200.0.0.7:51519 200.0.0.7:51519
tcp 192.168.46.10:23 192.168.0.1:23 200.0.0.7:64139 200.0.0.7:64139
tcp 192.168.46.10:23 192.168.0.2:23 200.0.0.7:11691 200.0.0.7:11691
tcp 192.168.45.10:23 192.168.0.2:23 200.0.0.7:62913 200.0.0.7:62913
tcp 192.168.45.10:23 192.168.0.3:23 200.0.0.7:17295 200.0.0.7:17295

I used two links just to show the flexibility of this configuration. I was playing around with route-map NAT failover/LB and then decided to work on this scenario.

8 comments:

  1. Thanks! This example really helped me perform a similar config using destination NAT.

    ReplyDelete
  2. Otima dica!!!

    Fabricio Fagundes
    Campo Bom - Brasil

    ReplyDelete
  3. I was not able to get this working with adding the secondary IP on the outside interface that corresponds to the match acl.

    I will try on a different platform but are you sure it publishes arp automatically only based on the acl?

    ReplyDelete
  4. Regarding the ARP question, based on my lab, using FasthEthernet the virtual ip addresses defined in the ACL does not work. An IP Alias is required to do the ARP resolution.

    In this post the solution works because the NATing router is connected to a serial interfaces and these don't use ARP.

    ReplyDelete
  5. thanks a lot..is there any more scenario there

    ReplyDelete
  6. ip virtual-reassembly

    why this is used...

    ReplyDelete
  7. Thank You so much !!!!

    AJ

    ReplyDelete
  8. Hi !

    Is it possible to make something similar on ASA? I have searched through documentation, google and I have found it impossible.

    best regards,
    PaweĊ‚ K.

    ReplyDelete

Note: Only a member of this blog may post a comment.