Forum Discussion
kwkyiu_53019
Nimbostratus
NimbostratusUse NAT to connect two non-routable network
I would like to ask if I can use NAT to connect two non-routable network, which can make the servers on the two network 'thinks' they are directly routable.
In the attached diagram, I had two private(non-routable) subnet 192.168.1.0/24 and 192.168.2.0/24.
Each subnet had a server (192.168.1.1 and 192.168.2.1) which use the load balancer as their default gateway. The two load balancer can reach each other directly(i.e. 172.20.1.0/24 and 172.20.2.0/24) is routable.
What I would like to do is use the NAT function of the load balancer to connect the 2 server up without letting them know anything about the external IP of each other(i.e. I can ping the private IP).
I will set NAT rule as follows.
LB1:
172.20.1.1<-->192.168.1.1
192.168.2.1<-->172.20.2.1
LB2:
172.20.2.1<-->192.168.2.1
192.168.1.1<-->172.20.1.1
Will it works on LTMv9?
8 Replies
- Yes, that looks like it would work.
/deb 
kwkyiu_53019Thanks for your reply, but our service provider said that setting the rule 192.168.2.1<-->172.20.2.1 on LB1 and 192.168.1.1<-->172.20.1.1 on LB2 will have no effect (i.e. LTMv9 will not do such NAT) and refuse to config those rules- JRahm
Admin
The LTM will do that just fine. What probably will not work fine is if that cloud is the ISP you are talking about and the connectivity between the datacenters is not MPLS. In that scenario, the RFC1918 addressing will not be permitted on their network outside an MPLS VPN. - kwkyiu_53019I can add NAT to LTM even the NAT Address and Origin Address is not on local subnet of the LTM?
The address in the example is just for reference. 
HamishCirrocumulus
Funnily enough I've been pondering a similar situation... Except with front-end and backend F5's and requiring de-NAT'ing at the backend... I think iRUles won't doit, but one thing I thought of was to use ssh (Available in the Linux OS of the F5) to create a tunnel between the two ends... Then you should be able to doit without any NAT or SNAT (Hmm... Didn't consider whether last-hop would work with that yet, or how performance would go).
Deb... What's the chances of an RFE giving us tunnels between pairs of F5's?
H- yes, you can NAT to a non-local address, and you can control whether LTM responds to ARP requests or not.
Autolasthop only helps on the response, not getting to the destination.
You'd have to be careful of L2 & L3 loops, of course, as always, but if they just need to talk to each other, you can connect them via a private subnet on its own vlan, either with a crossover cable or an intervening switch. We have long recommended that practice for redundant pairs, esp if you are mirroring persistence or connections, might work for a simple comm channel between 2 pairs just as well.
hth
/deb - kwkyiu_53019
Posted By hamish@travellingkiwi.com on 07/31/2008 5:06 AM
Funnily enough I've been pondering a similar situation... Except with front-end and backend F5's and requiring de-NAT'ing at the backend... I think iRUles won't doit, but one thing I thought of was to use ssh (Available in the Linux OS of the F5) to create a tunnel between the two ends... Then you should be able to doit without any NAT or SNAT (Hmm... Didn't consider whether last-hop would work with that yet, or how performance would go).
Deb... What's the chances of an RFE giving us tunnels between pairs of F5's?
H
Thanks for your idea. It's a great idea to use tunnels to make this possible, but it have to be port by port and pass tcp packet only. Although we most likely will use tcp only but the port number is random. It hard to pre-open all the ports. - kwkyiu_53019
yes, you can NAT to a non-local address, and you can control whether LTM responds to ARP requests or not.
Where can I found the doucment that support this usage? I had read the section about NAT for the configuration guide but found that it is too vague on this issue. We need some 'prove' to convince our service provider to set this for us.You'd have to be careful of L2 & L3 loops, of course, as always, but if they just need to talk to each other, you can connect them via a private subnet on its own vlan, either with a crossover cable or an intervening switch. We have long recommended that practice for redundant pairs, esp if you are mirroring persistence or connections, might work for a simple comm channel between 2 pairs just as well.
It would be great if those 2 subnet is directly routable but the 2 set of servers and LTMs are located at 2 different site(they will backup each other), so we are not able to make a direct connection for them.
Thanks for you helpful response
