This document describes how to configure Network Address Translation (NAT) server load balancing TCP traffic on ios routers.
There are no specific requirements for this document.
This document is not restricted to specific software and hardware versions. This document applies to all Cisco routers and switches that run Cisco ios.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Users that access the local server from outside internet will access the server using a single URL or ip address, however the NAT device is used to load share the user traffic to multiple identical servers with mirrored content.
Outside users A and B are accessing the contents of Web server with outside visible IP 172.16.2.3(Virtual IP of the servers). NAT router translates these traffic destined for 172.16.2.3 to inside IP’s 10.1.1.1, 10.1.1.2 and 10.1.1.3 in round robin fashion and forwards it to respective server. Each new session initiated from outside user is translated to the next physical server IP address.
Here user-A initiates a TCP connection with virtual server ip 172.16.2.3
The NAT router upon receiving the connection request, creates a NAT translation entry, allocating the next available real server IP address (eg. 10.1.1.1).
The NAT router replaces the destination IP address with the allocated real IP address and forwards the packet.
The server receives the packet and replies back to the source.
The NAT router receives the packet returned from the server and performs the NAT table lookup. The router then translates the source address to virtual server IP address (172.16.2.3) and forwards the packet.
Now the user-B initiates a TCP session with server virtual ip 172.16.2.3, now upon receiving the connection request the NAT router translates this to next available real server ip address (eg 10.1.1.2) and then forwards the packet to the server.
Since static NAT is bidirectional in the other direction the destination of the packet will be translated. When doing this form of NAT we need to trigger it by sending TCP packets. Sending Internet Control Message Protocol (ICMP) might not trigger the NAT translation.
Non-TCP traffic is directed to the first address in the pool.
Unlike static inside source NAT and static inside source PAT, the router does not respond to ARP-inquiries about the global address, unless that address is not assigned to its interface.Therefore, it may be necessary to add it to an interface like the secondary. It is not possible to redirect ports with this method of translation (eg 80 & 1087). The ports must match.
Define a pool of addresses containing the addresses of the real servers.
ip nat pool NATPOOL 10.1.1.1 10.1.1.3 prefix-length 24 type rotary
Define an access-list that permits the address of virtual-server.
access-list 1 permit host 172.16.2.3
Enable a dynamic translation of inside destination addresses.
ip nat inside destination list<ACL name> pool<Pool Name>
ip nat inside destination list 1 pool NATPOOL
Now define NAT inside and the outside interfaces.
ip address 10.1.1.4 255.255.255.0
Ip nat outside
ip address 172.16.1.1 255.255.255.248
Ip nat inside
IP addresses 10.1.1.1, 10.1.1.2 and 10.1.1.3 will now be handed out in a rotary fashion when someone tries to access the IP 172.16.1.3
You can verify this by initiating multiple TCP sessions from outside hosts to virtual IP. Debug IP NAT Translation/show ip nat translation output can be used for verification.