We run into this frequently with our public school networks, a couple of things we try to do;
1. Eliminate the hairpin traffic to the router - DNS trickery as already mentioned and/or a second nic in target server - we configure our routers with the public network as a secondary IP on the router, you would still have the hairpin traffic without the aid of DNS trickery. The DNS trickery may be nothing more than a local hosts file on each internal client that the TCP stack would reference before looking to the configured DNS server. This local hosts file would have DNS mapping to the local server pointing to the private address. 2. ALWAYS include "ip route-cache same-interface" on a router interface that might experience hairpin traffic If the traffic is not terribly significant the route-cache same-interface is usually sufficient, if the traffic is expected to be significant we do everything we can to eliminate the hairpin traffic altogether. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geyer, Nick Sent: Thursday, July 17, 2008 12:16 AM To: [email protected] Subject: [c-nsp] NAT and hairpin's Hi Everyone, Just wondering if anyone has come up with a way to hairpin traffic using a Cisco router? The problem is as follows; Say for example I have a router connecting to the Internet and an internal LAN doing normal NA, e.g; 203.1.2.3 -> ROUTER <- 192.168.1.0/24 (203.1.2.3 being the public IP on the "outside" interface) I have an application that talks from clients on the Internet to an internal server (192.168.1.1), with the appropriate static NAT's setup on the router to forward the traffic. The problem is the internal clients also need to talk to the server but on the public IP address (203.1.2.3). The traffic from the internal clients will hit the router but it wont translate and forward the traffic because its coming from the "inside" interface (and the static NAT only works for requests from the outside interface). I don't believe it can be done but just thought I would ask in case anyone has come up with a weird and wonderful way. Cheers, Nick Geyer. _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
