[nsp] Destination NAT
Bruce Pinsky
bep at whack.org
Wed Feb 4 20:00:32 EST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gerald Krause wrote:
| I try to find a solution for some kind of proxy forcing environment with
| NAT
| like this:
|
| initial ip packet generated
| ip packet
| -----------------
| -------------------
|
| inside outside
| 192.168.0.1 -> www.foo.bar(x.x.x.x) ----- [ROUTER] ----- 192.168.0.1
| -> 1.2.3.4
| 192.168.0.2 -> www.tofoo.bar(y.y.y.y) ----- [ROUTER] ----- 192.168.0.2
| -> 1.2.3.4
| 192.168.0.3 -> www.footo.bar(z.z.z.z) ----- [ROUTER] ----- 192.168.0.3
| -> 1.2.3.4
| ...
| 192.168.0.x -> ?.?.?.? ----- [ROUTER] ----- 192.168.0.x
| -> 1.2.3.4
|
|
|
| Or maybe with double NAT:
|
| initial ip packet interim ip packet
| generated ip packet
| ----------------- -----------------
| -------------------
|
| inside outside
| ----- [ROUTER] -----
| 192.168.0.1 -> www.foo.bar(x.x.x.x) loopback 0 -> (x.x.x.x) loopback
| 0 -> 1.2.3.4
| 192.168.0.2 -> www.tofoo.bar(y.y.y.y) loopback 0 -> (y.y.y.y) loopback
| 0 -> 1.2.3.4
| ...
|
|
| My first thought was about creating two NAT statements...
|
| 1) 192.168.0.x -> loopback 0 overload
| 2) loobback 0 -> 1.2.3.4
|
| ...but after some tests I realize that this won't work.
|
| I have search a lot of cisco doc's for such a "fixed destination address
| translation"
| without success. Have someone out there an idea? Or is this really a
| very bad way?
|
Do you actually need to NAT the inside source address from the 192 address
to something global? If not, then couldn't you just route everything
through the proxy rather than trying to translate the destination address?
Or route through the proxy and do NAT on the opposite side of the proxy.
- --
=========
bep
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFAIZWwE1XcgMgrtyYRAlHpAKCqb1BSTDQC/4AfRc8cOavp+9dQFACfVoYt
1DECTuoarNshTLnMizaahk8=
=PfUn
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list