SNAT Fun

I think I have a unique situation and not sure how to get around it.

 

 

this will be a tough one to explain but I will give it a go.

 

 

We have clients that for security require that they only be contacted by the ip matching the vip of the LB on the public side.

 

 

This is easy enough with a SNAT List and putting the servers behind it that will make the requests outbound.

 

 

Now to make it more complicated we also have an internal "router" for cluster traffic that also needs SNAT. So here is the setup.

 

 

Server A-> Application Node

 

Server B-> Application Node

 

Server C-> Active Cluster Traffic Router

 

Server D-> Backup Cluster Traffic Router

 

 

VIP 1-> External VLAN VIP

 

VIP 2-> INternal VLAN VIP

 

 

Request comes into VIP 1 and goes to Server A or B depending on round robin

 

 

That all works great

 

 

Now where it gets hairy is outgoing request. Server A or B needs to talk to a client on the public side. So it first Contacts VIP 2 which points to Server C or D which ever one is active. However all communication must look like VIP 2 so I did a snat rule for Server A and B for VIP 2 so when it talks internally to Server C or D it looks like VIP 2 and not IP of Server A or B.

 

 

That all works and I see VIP2 in captures on Server C or D.

 

 

Now the problem is Sever A or B then turns around and will talk to a device on the public internet (External VLAN) when it does this I see the IP of VIP 2 which is not what I want. Recall from first statement that the device in the field needs to see the IP of VIP 1.

 

 

Since VIP 2 is on the internal VLAN I thought that if I just applies SNAT list to Internal VLAN that would do it. However I still see the VIP 2 address on the External VLAN.

 

 

How can I get VIP 2 to be seen by internal traffic and VIP 1 to be seen for outgoing traffic for traffic origination from the same servers A and B

 

 

thanks for any help I know this is confusing (my head is spinning now....