[c-nsp] NAT and hairpin's
Ben Steele
ben.steele at internode.on.net
Thu Jul 17 01:48:02 EDT 2008
This is where dns doctoring on the asa/pix really comes in handy!
Split dns is usually the way to go but I had another thought, can you
put the public 203 address as an alias on the server and then setup a
policy route-map on your lan interface to match packets with a
destination of your server and port say something like "permit tcp
LAN host 203.1.2.3 eq 80" then put a "set ip next-hop SERVER LAN IP"
On 17/07/2008, at 2:46 PM, Geyer, Nick wrote:
> Hi Everyone,
>
>
>
> Just wondering if anyone has come up with a way to hairpin traffic
> using
> a Cisco router? The problem is as follows;
>
>
>
> Say for example I have a router connecting to the Internet and an
> internal LAN doing normal NA, e.g;
>
>
>
> 203.1.2.3 -> ROUTER <- 192.168.1.0/24 (203.1.2.3 being the public IP
> on
> the "outside" interface)
>
>
>
> I have an application that talks from clients on the Internet to an
> internal server (192.168.1.1), with the appropriate static NAT's setup
> on the router to forward the traffic. The problem is the internal
> clients also need to talk to the server but on the public IP address
> (203.1.2.3). The traffic from the internal clients will hit the router
> but it wont translate and forward the traffic because its coming from
> the "inside" interface (and the static NAT only works for requests
> from
> the outside interface).
>
>
>
> I don't believe it can be done but just thought I would ask in case
> anyone has come up with a weird and wonderful way.
>
>
>
> Cheers,
>
>
>
> Nick Geyer.
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list