Mailing List Archive

What type of hardware are you running? Are you running in any sort of
active-active or active-standy mode?

If you only have one serveriron then this should do:
(from
http://www.foundrynet.com/services/documentation/siug/ServerIron_NAT.htm
l#47377 )

"
Configuring Static Address Translations

Use the following CLI method to configure static NAT.

USING THE CLI

To configure static NAT for an IP address, enter commands such as the
following:

ServerIron(config)# ip nat inside source static 10.10.10.69 209.157.1.69

The commands in this example statically map the private address
10.10.10.69 to the Internet address 209.157.1.69.

Syntax: [no] ip nat inside source static <private-ip> <global-ip>

This command associates a specific private address with a specific
Internet address. Use this command when you want to ensure that the
specified addresses are always mapped together.

The inside source parameter specifies that the mapping applies to the
private address sending traffic to the Internet.

The <private-ip> parameter specifies the private IP address.

The <global-ip> parameter specifies the Internet address. The ServerIron
supports up to 255 global IP addresses.

Neither of the IP address parameters needs a network mask.
"

If you are running dual chassis devices in an active-active or
active-standby mode I would wait for the new code to be released
shortly. The new (shortly released) IronWare 9.2 code will greatly
simplify this. Instructions for the new configuration are in the
release notes for that release.

-----Original Message-----
From: foundry-nsp-bounces@puck.nether.net
[mailto:foundry-nsp-bounces@puck.nether.net] On Behalf Of Timothy Arnold
Sent: Thursday, November 04, 2004 8:20 AM
To: foundry-nsp@puck.nether.net
Subject: [f-nsp] Serveriron / nat

Hi Foundry Guru's

I am hoping someone could enlighten me on now network address
translation works in the serveriron. Here is the situation.

I have two vlan's configured - the public vlan with routable IP
addresses, this is where the VIP addresses are. The second vlan is a
standard 10.x netblock where the servers are located. I have a number of
VIPs and load balance a number of web servers - this works great.

However, I have a management server that will be accessible via web, ssh
etc. Do I need to create a VIP address just for this one server, or can
I someway map a public IP address to the internal IP address and vice
versa?

I hope I have made myself clear!

Thanks
Tim. :)

_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp

On 4 Nov 2004, at 21:07, Cliff Fogle wrote:

> What type of hardware are you running? Are you running in any sort of
> active-active or active-standy mode?
>

Serveriron XL 16 Port. I will be running an active-standby
configuration (if I can understand how that works too! :)).

>
> The inside source parameter specifies that the mapping applies to the
> private address sending traffic to the Internet.
>

OK, I understand that. I have just tried it and it works fine. Any
traffic from the server to the internet will use the IP address that I
have assigned. However, what happens if I want to go from the internet
to the private address, for incoming SSH requests for example?
>
> If you are running dual chassis devices in an active-active or
> active-standby mode I would wait for the new code to be released
> shortly. The new (shortly released) IronWare 9.2 code will greatly
> simplify this. Instructions for the new configuration are in the
> release notes for that release.
>

OK, Do you know when this will be, would you recommend not using NAT in
an active/standby configuration? What problems occur if you do?

On a side note, in an active/standby configuration. I have been reading
that you should build the configuration on one serveriron and then
replicate it to the second serveriron (and using the backup commands to
configure the backup port) but how does that work if you have virtual
interfaces? I have a number of ve interfaces for each subnet, so do I
just copy the same configuration across? The documentation says that
you need to change the management address? I am unsure what this means!

Sorry if I am asking too many questions! Thanks for all your help!

Kind regards
Tim.

> -----Original Message-----
> From: foundry-nsp-bounces@puck.nether.net
> [mailto:foundry-nsp-bounces@puck.nether.net] On Behalf Of Timothy
> Arnold
> Sent: Thursday, November 04, 2004 8:20 AM
> To: foundry-nsp@puck.nether.net
> Subject: [f-nsp] Serveriron / nat
>
> Hi Foundry Guru's
>
> I am hoping someone could enlighten me on now network address
> translation works in the serveriron. Here is the situation.
>
> I have two vlan's configured - the public vlan with routable IP
> addresses, this is where the VIP addresses are. The second vlan is a
> standard 10.x netblock where the servers are located. I have a number
> of
> VIPs and load balance a number of web servers - this works great.
>
> However, I have a management server that will be accessible via web,
> ssh
> etc. Do I need to create a VIP address just for this one server, or can
> I someway map a public IP address to the internal IP address and vice
> versa?
>
> I hope I have made myself clear!
>
> Thanks
> Tim. :)
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
>
>



---
Timothy Arnold
Technical Support Engineer
UK Solutions, Birmingham Road
Studley, B80 7BG

http://www.uksolutions.co.uk

To contact support:
Via telephone: 08700 681 333
Via email: support@uksolutions.co.uk

*My comments in blue or marked with '*'. You do have alot of
questions...I hope I can answer them somewhat clearly.


>Serveriron XL 16 Port. I will be running an active-standby
configuration (if I can understand how that works too! :)).

*The active standby config is very easy, search the CLI docs for
'sym-priority'. It also works very well. I strongly suggest that you
do not download the operating code from the site. Ask Foundry for a
patch release that is right for you.

>
>>
>> The inside source parameter specifies that the mapping applies to the
>> private address sending traffic to the Internet.
>>
>
>OK, I understand that. I have just tried it and it works fine. Any
traffic from the server to the internet will use the IP address that I
have assigned. However, what happens if I want to go from the internet
to the private address, for incoming SSH requests for example?

*It should work both ways. Just ssh to the outside address. (from the
outside of course). Make sure that your real servers only possible
route to the outside is through the serveriron. You cannot use DSR in
this config.


>
>
>
>
>>
>> If you are running dual chassis devices in an active-active or
>> active-standby mode I would wait for the new code to be released
>> shortly. The new (shortly released) IronWare 9.2 code will greatly
>> simplify this. Instructions for the new configuration are in the
>> release notes for that release.
>>
>
>OK, Do you know when this will be, would you recommend not using NAT in
an active/standby configuration? What problems occur if you do?

*The new code release is not for the XL series, sorry. I don't quite
know how to configure this but it involves creating VRRP-E interfaces
for the static nat addresses. Hopefully the new method in 9.2 will
trickle into the XL code line.


>
>On a side note, in an active/standby configuration. I have been reading
that you should build the configuration on one serveriron and then
replicate it to the second serveriron (and using the backup commands to
configure the backup port) but how does that work if you have virtual
interfaces? I have a number of ve interfaces for each subnet, so do I
just copy the same configuration across? The documentation says that you
need to change the management address? I am unsure what this means!

*Your VEs will need vrrp-e interfaces. There are lots of bugs in the
config sync stuff...it's pretty brand new. I usually just tftp the
config off the 'active' SI, edit the ip addresses, vrrp-e priorities and
the sym-priorities and tftp it up to the 'standby'. One of the cool
things about the 'sym-priority' stuff is that you can have one SI active
for virtual server X and the other active for virtual Y. So you have
them backing each other up, but you're balancing load across the two
XLs.


>
>Sorry if I am asking too many questions! Thanks for all your help!
>
>Kind regards
>Tim.
>
>> -----Original Message-----
>> From: foundry-nsp-bounces@puck.nether.net
>> [mailto:foundry-nsp-bounces@puck.nether.net
<mailto:foundry-nsp-bounces@puck.nether.net> ] On Behalf Of Timothy
>> Arnold
>> Sent: Thursday, November 04, 2004 8:20 AM
>> To: foundry-nsp@puck.nether.net
>> Subject: [f-nsp] Serveriron / nat
>>
>> Hi Foundry Guru's
>>
>> I am hoping someone could enlighten me on now network address
>> translation works in the serveriron. Here is the situation.
>>
>> I have two vlan's configured - the public vlan with routable IP
>> addresses, this is where the VIP addresses are. The second vlan is a
>> standard 10.x netblock where the servers are located. I have a number
>> of VIPs and load balance a number of web servers - this works great.
>>
>> However, I have a management server that will be accessible via web,
>> ssh etc. Do I need to create a VIP address just for this one server,
>> or can I someway map a public IP address to the internal IP address
>> and vice versa?
>>
>> I hope I have made myself clear!
>>
>> Thanks
>> Tim. :)
>>
>> _______________________________________________
>> foundry-nsp mailing list
>> foundry-nsp@puck.nether.net
>> http://puck.nether.net/mailman/listinfo/foundry-nsp
<http://puck.nether.net/mailman/listinfo/foundry-nsp>
>>
>>
>>
>
>
>
>---
>Timothy Arnold
>Technical Support Engineer
>UK Solutions, Birmingham Road
>Studley, B80 7BG
>
>http://www.uksolutions.co.uk <http://www.uksolutions.co.uk>
>
>To contact support:
>Via telephone: 08700 681 333
>Via email: support@uksolutions.co.uk
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/foundry-nsp/attachments/20041105/e1f088be/attachment.html