Cisco Cisco IOS Software Release 12.2(18)SXD
Features
12
Cisco IOS Release 12.2(18)SXD
Note
You can use both server NAT and client NAT for the same connection.
IOS SLB does not support FTP or firewall load balancing in directed mode. Therefore, FTP and firewall
load balancing cannot use NAT.
load balancing cannot use NAT.
IOS SLB supports only client NAT for TCP and UDP virtual servers.
IOS SLB supports only server NAT (but not server port translation) for Encapsulation Security Payload
(ESP) virtual servers or Generic Routing Encapsulation (GRE) virtual servers.
(ESP) virtual servers or Generic Routing Encapsulation (GRE) virtual servers.
Server NAT
Server NAT involves replacing the virtual server IP address with the real server IP address (and vice
versa). Server NAT provides the following benefits:
versa). Server NAT provides the following benefits:
•
Servers can be many hops away from the load-balancing device.
•
Intervening routers can route to them without requiring tunnelling.
•
Loopback and secondary interfaces are not required on the real server.
•
The real server need not be Layer 2-adjacent to IOS SLB.
•
The real server can initiate a connection to a virtual server on the same IOS SLB device.
Client NAT
If you use more than one load-balancing device in your network, replacing the client IP address with an
IP address associated with one of the devices results in proper routing of outbound flows to the correct
device. Client NAT also requires that the ephemeral client port be modified since many clients can use
the same ephemeral port. Even in cases where multiple load-balancing devices are not used, client NAT
can be useful to ensure that packets from load-balanced connections are not routed around the device.
IP address associated with one of the devices results in proper routing of outbound flows to the correct
device. Client NAT also requires that the ephemeral client port be modified since many clients can use
the same ephemeral port. Even in cases where multiple load-balancing devices are not used, client NAT
can be useful to ensure that packets from load-balanced connections are not routed around the device.
Static NAT
With static NAT, address translations exist in the NAT translation table as soon as you configure static
NAT commands, and they remain in the translation table until you delete the static NAT commands.
NAT commands, and they remain in the translation table until you delete the static NAT commands.
You can use static NAT to allow some users to utilize NAT and allow other users on the same Ethernet
interface to continue with their own IP addresses. This option enables you to provide a default NAT
behavior for real servers, differentiating between responses from a real server, and connection requests
initiated by the real server.
interface to continue with their own IP addresses. This option enables you to provide a default NAT
behavior for real servers, differentiating between responses from a real server, and connection requests
initiated by the real server.
For example, you can use server NAT to redirect Domain Name System (DNS) inbound request packets
and outbound response packets for a real server, and static NAT to process connection requests from that
real server.
and outbound response packets for a real server, and static NAT to process connection requests from that
real server.
Note
Static NAT is not required for DNS, but it is recommended, because it hides your real server IP addresses
from the outside world.
from the outside world.
IOS SLB supports the following static NAT options, configured using the ip slb static command:
•
Static NAT with dropped connections—The real server is configured to have its packets dropped by
IOS SLB, if the packets do not correspond to existing connections. This option is usually used in
conjunction with the subnet mask or port number option on the real command in static NAT
configuration mode, such that IOS SLB builds connections to the specified subnet or port, and drops
all other connections from the real server.
IOS SLB, if the packets do not correspond to existing connections. This option is usually used in
conjunction with the subnet mask or port number option on the real command in static NAT
configuration mode, such that IOS SLB builds connections to the specified subnet or port, and drops
all other connections from the real server.