问高手们一个cisco问题 - 未名空间MITBBS历史存档

问高手们一个cisco问题# EmergingNetworking - 热门网络技术

w*r2006-02-24 08:02

1 楼

在netscreen,iptables以及无数低端firewall里
都可以实现一个简单功能
多个public ip指向同一个private ip
但是cisco asa这个高端firewall
比如俺已经把pub1和private1对应起来了
再想把pub2指向privte1，系统不让，说private1已经和pub1 nat了
call过cisco，他们也说不能
奶奶的，这么简单的事情，竟然不行？
郁闷ing

w*r2006-02-24 08:02

2 楼

damn it
还是在foundry load balancer方解决了
如果是nat到一台机器，简单，机器增加一个alias ip就可以了
问题是要nat到一个vip
call了foundry，找到了work around
妈妈的，这么easy一破功能cisco咋不支持呢

【在 w*****r 的大作中提到】

: 在netscreen,iptables以及无数低端firewall里
: 都可以实现一个简单功能
: 多个public ip指向同一个private ip
: 但是cisco asa这个高端firewall
: 比如俺已经把pub1和private1对应起来了
: 再想把pub2指向privte1，系统不让，说private1已经和pub1 nat了
: call过cisco，他们也说不能
: 奶奶的，这么简单的事情，竟然不行？
: 郁闷ing

b*e2006-02-24 08:02

3 楼

Not clear about your requirement, but how DNS is coming into picture here? no
matter how many millions domains are mapped to this IP address, to routers/
ASAs it is just another IP address.

【在 w*****r 的大作中提到】

: damn it
: 还是在foundry load balancer方解决了
: 如果是nat到一台机器，简单，机器增加一个alias ip就可以了
: 问题是要nat到一个vip
: call了foundry，找到了work around
: 妈妈的，这么easy一破功能cisco咋不支持呢

z*r2006-02-24 08:02

4 楼

sure pat can work, your case is a simple case for a wildcard vip + pat

【在 w*****r 的大作中提到】

: damn it
: 还是在foundry load balancer方解决了
: 如果是nat到一台机器，简单，机器增加一个alias ip就可以了
: 问题是要nat到一个vip
: call了foundry，找到了work around
: 妈妈的，这么easy一破功能cisco咋不支持呢

z*r2006-02-24 08:02

5 楼

different vendors give NAT different definations, a lot of them call NPAT as
NAT for the sake of convenience and confusion, Cisco calls NAT as NAT and NPAT
as PAT. You cannot just map the 2 addresses, I mean, the real NAT, to one
single IP, you have to always use PAT, this is the standard

【在 w*****r 的大作中提到】

: damn it
: 还是在foundry load balancer方解决了
: 如果是nat到一台机器，简单，机器增加一个alias ip就可以了
: 问题是要nat到一个vip
: call了foundry，找到了work around
: 妈妈的，这么easy一破功能cisco咋不支持呢

z*r2006-02-24 08:02

6 楼

why complain? because it should not be allowed, refer to post 1107

【在 w*****r 的大作中提到】

: damn it
: 还是在foundry load balancer方解决了
: 如果是nat到一台机器，简单，机器增加一个alias ip就可以了
: 问题是要nat到一个vip
: call了foundry，找到了work around
: 妈妈的，这么easy一破功能cisco咋不支持呢

j*r2006-02-24 08:02

7 楼

I was wrong.
You can use the Internet router to do the PAT as workaround.

【在 w*****r 的大作中提到】

: damn it
: 还是在foundry load balancer方解决了
: 如果是nat到一台机器，简单，机器增加一个alias ip就可以了
: 问题是要nat到一个vip
: call了foundry，找到了work around
: 妈妈的，这么easy一破功能cisco咋不支持呢

w*r2006-02-24 08:02

8 楼

maybe my understanding of pat is not right
need to read to get more accurate definition about it.
My understanding was:
pat:
addressA:801 ----> private_addressA1:80
addressA:802 ---->private_AddressA2:80
or sth like that
can you point both addressA:80 and addressB:80 to the same
private_addres:80?
well, this is not for the purpose of my original post already,
just to discuss

【在 z**r 的大作中提到】

: sure pat can work, your case is a simple case for a wildcard vip + pat

z*r2006-02-24 08:02

9 楼

check out PAT

【在 w*****r 的大作中提到】

: 在netscreen,iptables以及无数低端firewall里
: 都可以实现一个简单功能
: 多个public ip指向同一个private ip
: 但是cisco asa这个高端firewall
: 比如俺已经把pub1和private1对应起来了
: 再想把pub2指向privte1，系统不让，说private1已经和pub1 nat了
: call过cisco，他们也说不能
: 奶奶的，这么简单的事情，竟然不行？
: 郁闷ing

j*r2006-02-24 08:02

10 楼

Outside NAT sould work on Cisco.

【在 w*****r 的大作中提到】

: damn it
: 还是在foundry load balancer方解决了
: 如果是nat到一台机器，简单，机器增加一个alias ip就可以了
: 问题是要nat到一个vip
: call了foundry，找到了work around
: 妈妈的，这么easy一破功能cisco咋不支持呢

w*r2006-02-24 08:02

11 楼

damn it
还是在foundry load balancer方解决了
如果是nat到一台机器，简单，机器增加一个alias ip就可以了
问题是要nat到一个vip
call了foundry，找到了work around
妈妈的，这么easy一破功能cisco咋不支持呢

【在 w*****r 的大作中提到】

: 在netscreen,iptables以及无数低端firewall里
: 都可以实现一个简单功能
: 多个public ip指向同一个private ip
: 但是cisco asa这个高端firewall
: 比如俺已经把pub1和private1对应起来了
: 再想把pub2指向privte1，系统不让，说private1已经和pub1 nat了
: call过cisco，他们也说不能
: 奶奶的，这么简单的事情，竟然不行？
: 郁闷ing

z*r2006-02-24 08:02

12 楼

different vendors give NAT different definations, a lot of them call NPAT as
NAT for the sake of convenience and confusion, Cisco calls NAT as NAT and NPAT
as PAT. You cannot just map the 2 addresses, I mean, the real NAT, to one
single IP, you have to always use PAT, this is the standard

【在 w*****r 的大作中提到】

: damn it
: 还是在foundry load balancer方解决了
: 如果是nat到一台机器，简单，机器增加一个alias ip就可以了
: 问题是要nat到一个vip
: call了foundry，找到了work around
: 妈妈的，这么easy一破功能cisco咋不支持呢

b*e2006-02-24 08:02

13 楼

Have you tried the following simple two lines of configuration:
global (inside) 1 192.168.1.1 nat (outside) 1 92.68.1.0 255.255.255.0 To the firewall it really does not care public or private addreesses, it can
do any kind of address
translation.

【在 w*****r 的大作中提到】

: damn it
: 还是在foundry load balancer方解决了
: 如果是nat到一台机器，简单，机器增加一个alias ip就可以了
: 问题是要nat到一个vip
: call了foundry，找到了work around
: 妈妈的，这么easy一破功能cisco咋不支持呢

w*r2006-02-24 08:02

14 楼

I need to "static" nat two public ip to the same internal ip.
it won't allow me for the second nat, complaining that private
ip already been static natted with another ip.
anyways, found ways to work it around.

【在 j****r 的大作中提到】

: Outside NAT sould work on Cisco.

z*r2006-02-24 08:02

15 楼

你到底想做什么？把你的application说清楚了

【在 w*****r 的大作中提到】

: damn it
: 还是在foundry load balancer方解决了
: 如果是nat到一台机器，简单，机器增加一个alias ip就可以了
: 问题是要nat到一个vip
: call了foundry，找到了work around
: 妈妈的，这么easy一破功能cisco咋不支持呢

w*r2006-02-24 08:02

16 楼

there are some more twist in the vip to prevent a wildcard vip,
for example, we don't just load balance port 80, hehe
anyways, I did similiar things
made up two vips with same server pool
and nat each of them to a public ip.
only thing is even to do that, the load balancer prevent two vip
with same server farm bind to them at the same time.
have to play some tricks over there.
some cheap low lever equipments were really easy, just make up
two rules with same static nat, or bind same real servers

【在 z**r 的大作中提到】

: 你到底想做什么？把你的application说清楚了

z*r2006-02-24 08:02

17 楼

why complain? because it should not be allowed, refer to post 1107

【在 w*****r 的大作中提到】

: there are some more twist in the vip to prevent a wildcard vip,
: for example, we don't just load balance port 80, hehe
: anyways, I did similiar things
: made up two vips with same server pool
: and nat each of them to a public ip.
: only thing is even to do that, the load balancer prevent two vip
: with same server farm bind to them at the same time.
: have to play some tricks over there.
: some cheap low lever equipments were really easy, just make up
: two rules with same static nat, or bind same real servers

w*r2006-02-24 08:02

18 楼

yeah, my point is, why they try to make things so hard
why complain?
just allow those things, what's the harm?

【在 z**r 的大作中提到】

: why complain? because it should not be allowed, refer to post 1107

z*r2006-02-24 08:02

19 楼

check out PAT

【在 w*****r 的大作中提到】

: 在netscreen,iptables以及无数低端firewall里
: 都可以实现一个简单功能
: 多个public ip指向同一个private ip
: 但是cisco asa这个高端firewall
: 比如俺已经把pub1和private1对应起来了
: 再想把pub2指向privte1，系统不让，说private1已经和pub1 nat了
: call过cisco，他们也说不能
: 奶奶的，这么简单的事情，竟然不行？
: 郁闷ing

w*r2006-02-24 08:02

20 楼

there are some more twist in the vip to prevent a wildcard vip,
for example, we don't just load balance port 80, hehe
anyways, I did similiar things
made up two vips with same server pool
and nat each of them to a public ip.
only thing is even to do that, the load balancer prevent two vip
with same server farm bind to them at the same time.
have to play some tricks over there.
some cheap low lever equipments were really easy, just make up
two rules with same static nat, or bind same real servers

【在 z**r 的大作中提到】

: check out PAT

z*r2006-02-24 08:02

21 楼

easy to solve this problem, a simple policy based wildcard vip serves you
perfectly
your work around does NOT scale, use mine, hoho

【在 w*****r 的大作中提到】

: there are some more twist in the vip to prevent a wildcard vip,
: for example, we don't just load balance port 80, hehe
: anyways, I did similiar things
: made up two vips with same server pool
: and nat each of them to a public ip.
: only thing is even to do that, the load balancer prevent two vip
: with same server farm bind to them at the same time.
: have to play some tricks over there.
: some cheap low lever equipments were really easy, just make up
: two rules with same static nat, or bind same real servers