As I was writing a blog series on IPSec, I came across quite a few issues related to NAT and I knew this has to do with NAT-T feature. So I decided to do a more in-depth analysis on NAT-T, in order to understand it properly. While researching the topic, I came across a Cisco article explaining how to do Load-Balancing using NAT. I had used NAT before for standard NAT translation – inside to outside and vice-versa; but I had never used if for Load-Balancing.

So I took a break from IPSec …

I will be using the topology below and show how do you configure Source-NAT as well as NAT based Load-Balancing.

NAT

  1. WWW1 and WWW2 belong to Company A
  2. Both WWW1 and WWW2 have the same content
  3. HOST1 and HOST2 are hosts inside Company’s B LAN
  4. All Hosts and Servers are configured with private IP addresses

Requirements:

  1. Configure NATROUTER1 and NATROUTER2 routers so that both LANs can access the Internet
  2. Configure NATROUTER1 to Load-Balance connection to the internal web servers

 

Configure NATROUTER1 router so that WWW1 and WWW2 servers can access the Internet

Configuration …

hostname NATROUTER1
!
ip nat inside source list ACL-NAT-OUTBOUND interface FastEthernet0/1 overload
!
ip access-list extended ACL-NAT-OUTBOUND
  permit ip 192.168.1.0 0.0.0.255 any
  deny ip any any
!
interface F0/0
ip nat inside
interface Fa0/1
ip nat outside
end

Testing …

Success rate is 0 percent (0/3)

WWW1#ping 90.90.90.94 repeat 3

Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 90.90.90.94, timeout is 2 seconds:
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 4/9/16 ms
WWW1#

NATROUTER1>
*Mar 1 02:52:35.583: NAT*: s=192.168.1.250->89.89.89.94, d=90.90.90.94 [642] *Mar 1 02:52:35.607: NAT*: s=90.90.90.94, d=89.89.89.94->192.168.1.250 [642] *Mar 1 02:52:35.611: NAT*: s=192.168.1.250->89.89.89.94, d=90.90.90.94 [643] *Mar 1 02:52:35.619: NAT*: s=90.90.90.94, d=89.89.89.94->192.168.1.250 [643] *Mar 1 02:52:35.623: NAT*: s=192.168.1.250->89.89.89.94, d=90.90.90.94 [644] *Mar 1 02:52:35.627: NAT*: s=90.90.90.94, d=89.89.89.94->192.168.1.250 [644]

Configure NATROUTER2 router so that HOST1 and HOST2 hosts can access the Internet

Configuration …

hostname NATROUTER2
!
interface FastEthernet0/0
   ip nat outside
!
interface FastEthernet0/1
   ip nat inside
!
ip nat inside source list ACL-NAT-OUTBOUND interface FastEthernet0/0 overload
!
ip access-list extended ACL-NAT-OUTBOUND
   permit ip 10.0.0.0 0.0.0.255 any
   deny ip any any
!
end

Testing …

HOST1#ping 89.89.89.94

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 89.89.89.94, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/12/24 ms
HOST1#

NATROUTER2#
*Mar 1 03:17:21.035: NAT*: s=10.0.0.1->90.90.90.94, d=89.89.89.94 [42] *Mar 1 03:17:21.063: NAT*: s=89.89.89.94, d=90.90.90.94->10.0.0.1 [42] *Mar 1 03:17:21.067: NAT*: s=10.0.0.1->90.90.90.94, d=89.89.89.94 [43] *Mar 1 03:17:21.071: NAT*: s=89.89.89.94, d=90.90.90.94->10.0.0.1 [43] *Mar 1 03:17:21.075: NAT*: s=10.0.0.1->90.90.90.94, d=89.89.89.94 [44] *Mar 1 03:17:21.079: NAT*: s=89.89.89.94, d=90.90.90.94->10.0.0.1 [44] *Mar 1 03:17:21.083: NAT*: s=10.0.0.1->90.90.90.94, d=89.89.89.94 [45] *Mar 1 03:17:21.087: NAT*: s=89.89.89.94, d=90.90.90.94->10.0.0.1 [45] *Mar 1 03:17:21.091: NAT*: s=10.0.0.1->90.90.90.94, d=89.89.89.94 [46]

Configure NATROUTER1 router to Load-Balance access to the internal Web  servers

The configuration below is independent from configuration above

Configuration …

hostname NATROUTER1
!
ip nat pool POOL-WWW 192.168.1.249 192.168.1.250 netmask 255.255.255.0 type rotary
ip nat inside destination list ACL-NAT-INBOUND pool POOL-WWW
!
ip access-list extended ACL-NAT-INBOUND
   permit tcp any host 89.89.89.94 eq www
!
end

Testing …

I have open a TCP connection on port 80 (http) host1 and host2 respectively … you can then see below the translation as shown in the debug output on NATROUTER1 router:

HOST1#telnet 89.89.89.94 80
Trying 89.89.89.94, 80 … Open

HOST2#telnet 89.89.89.94 80
Trying 89.89.89.94, 80 … Open

NATROUTER1#
*Mar 1 03:20:43.951: NAT*: s=90.90.90.94, d=89.89.89.94->192.168.1.249 [54529] *Mar 1 03:20:43.959: NAT*: s=192.168.1.249->89.89.89.94, d=90.90.90.94 [8345] *Mar 1 03:20:43.967: NAT*: s=90.90.90.94, d=89.89.89.94->192.168.1.249 [54530] *Mar 1 03:20:43.971: NAT*: s=90.90.90.94, d=89.89.89.94->192.168.1.249 [54531] NATROUTER1#
NATROUTER1#
*Mar 1 03:20:49.251: NAT*: s=90.90.90.94, d=89.89.89.94->192.168.1.250 [16732] *Mar 1 03:20:49.271: NAT*: s=192.168.1.250->89.89.89.94, d=90.90.90.94 [50584] *Mar 1 03:20:49.283: NAT*: s=90.90.90.94, d=89.89.89.94->192.168.1.250 [16733] *Mar 1 03:20:49.287: NAT*: s=90.90.90.94, d=89.89.89.94->192.168.1.250 [16734] *Mar 1 03:20:50.067: NAT*: s=90.90.90.94, d=89.89.89.94->192.168.1.250 [16735]

Notice how each session is connected to a different WWW server, as highlighted in red & blue above. Also notice that both connections were initiated towards the same public IP of 89.89.89.94. Finaly, you can see that both connections are successful.

 


Thank you,
Signature
View Rafael A Couto Cabral's profile on LinkedIn



Leave a reply

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>