[c-nsp] NAT and hairpin's

Rick Martin rick.martin at arkansas.gov
Thu Jul 17 09:47:28 EDT 2008


 We run into this frequently with our public school networks, a couple
of things we try to do;

1. Eliminate the hairpin traffic to the router - DNS trickery as already
mentioned and/or a second nic in target server - we configure our
routers with the public network as a secondary IP on the router, you
would still have the hairpin traffic without the aid of DNS trickery.
The DNS trickery may be nothing more than a local hosts file on each
internal client that the TCP stack would reference before looking to the
configured DNS server. This local hosts file would have DNS mapping to
the local server pointing to the private address.

2. ALWAYS include "ip route-cache same-interface" on a router interface
that might experience hairpin traffic

 If the traffic is not terribly significant the route-cache
same-interface is usually sufficient, if the traffic is expected to be
significant we do everything we can to eliminate the hairpin traffic
altogether.




-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Geyer, Nick
Sent: Thursday, July 17, 2008 12:16 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] NAT and hairpin's

Hi Everyone,

 

Just wondering if anyone has come up with a way to hairpin traffic using
a Cisco router? The problem is as follows;

 

Say for example I have a router connecting to the Internet and an
internal LAN doing normal NA, e.g;

 

203.1.2.3 -> ROUTER <- 192.168.1.0/24 (203.1.2.3 being the public IP on
the "outside" interface)

 

I have an application that talks from clients on the Internet to an
internal server (192.168.1.1), with the appropriate static NAT's setup
on the router to forward the traffic. The problem is the internal
clients also need to talk to the server but on the public IP address
(203.1.2.3). The traffic from the internal clients will hit the router
but it wont translate and forward the traffic because its coming from
the "inside" interface (and the static NAT only works for requests from
the outside interface).

 

I don't believe it can be done but just thought I would ask in case
anyone has come up with a weird and wonderful way.

 

Cheers,

 

Nick Geyer.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list