One private IP NAT to multiple public IPs?

I have a requirement to setup a network so that an internal server communicates with outside world through different WAN networks. I have three separate WAN connections terminated on a single Cisco 6500. The internal network also connects to the same switch.

External VLANs: Ingress, Egress and Management Internal VLAN: Internal Requirements:

  1. Management traffic can only talk to the internal server(s) via Management WAN;
  2. Application traffic can only talk to the internal server(s) via Ingress WAN;
  3. Outbound traffic originated from internal servers has to go through Egress WAN;
  4. Internal servers use private IP addresses

For example, I have: Servers on Internal VLAN:

The mangement traffic (i.e. SNMP, ssh) uses the following public IPs to reach each server:

The application traffic (i.e. www, ftp) uses the following public IPs to reach each server:

The traffic initiated from the servers uses the following public IPs to access the Internet:

Given the requirements above, how do I design/configure my switch to achieve the goal? I've done some searches on the forum with no luck. Please kindly advise.

Reply to
Loading thread data ...


I think you've got an interesting problem here. At first sight it seems relatively simple but on a second look it becomes rather tricky. Unfortunately there is insufficient information to provide a design, although here are a couple of points you could consider.

Beyond understanding the feature set of the Cisco 6500, the key areas for consideration is how to differentiate the traffic flows and the need to define return paths for each traffic type.

If the traffic can be segregated based on source and destination IP address it may be possible to use static routes. More specific routes would be chosen to route traffic for the management and Ingress return paths; a default route would route traffic through Egress link.

If the traffic can be differentiated based on source/dest. ports or protocols then Policy Based Routing can complement the static IP route technique above.

Alternatively, if the applications can be configured to use multiple IP addresses on a single NIC, the problem may be simplified.

A detailed requirements capture and traffic profile should provide some of the answers and a direction in which to develop the design.

==================== Joe Igneous Networks Technical Director Network services for merging companies

Reply to
igneousnetworks Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.