[cisco-bba] SLB / NAT Question

Andy Saykao andy.saykao at staff.netspace.net.au
Thu Apr 17 01:03:29 EDT 2008

Hi There...
We have a SSG gateway where we put customers who have not paid their
Customer -> LNS-SSG -> CORE (with SLB config on it) -> DNS Server Farm
(dns_server1 & dns_server2)
Customers connect via PPP and are tunneled across to our LNS-SSG router
and get assigned a 172.16.x.x address. From there, if they try to broswe
to anywhere, they land on a page which tells them that their payment is
overdue. To add to this, we have dns servers load balanced using a SLB
as seen in the daigram above. Obviously, when a late paying customer
tries to goto a web site, a DNS lookup is performed by querying one of
the REAL dns servers behind the SLB. The customers never know about the
REAL dns servers behind the SLB and simply set their dns server to the
IP address of the SLB.
My question is - do we need to enable NAT on the SLB for customers with
172.16.x.x addresses to be able to reach the REAL dns servers behind the
SLB (bearing in mind that these private IP's are distributed through our
network using OSPF and are reachable)? What I'm finding is that
customers who are assigned a 172.16.x.x IP address can not do a DNS
lookup when they have their dns server set as the IP address of the SLB.
But if I change their dns server to be one of the REAL dns servers, dns
queries are resolved and they get the correct page displayed telling
them their account is locked. 
So I'm a bit lost if we need to apply NAT to the SLB config and why this
would be neccessary because all this routing is done within our own

This email and any files transmitted with it are confidential and intended solely for the 
use of the individual or entity to whom they are addressed. Please notify the sender 
immediately by email if you have received this email by mistake and delete this email 
from your system. Please note that any views or opinions presented in this email are solely
 those of the author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for the presence of 
viruses. The organisation accepts no liability for any damage caused by any virus 
transmitted by this email. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-bba/attachments/20080417/1a57f1d3/attachment.html 

More information about the cisco-bba mailing list