By default, the ServerIron ADX uses the MAC address of its default gateway as the destination MAC address for server replies (TCP SYN and TCP SYN ACK) to a client. This works well in some configurations but can cause difficulties in configurations where there are multiple VLANs and multiple instances of VRRP are running in each VLAN on upstream routers.
Reverse NAT allows the ServerIron ADX to change the source IP address of some traffic initiated by a real server. Specifically, the [no]
server reverse-nat command causes the ServerIron ADX to change the source IP address for traffic that the real server initiates on TCP or UDP ports that are bound to a VIP.
By default, the ServerIron ADX does not perform address translation for any traffic initiated by the real server. However, if you enable Reverse NAT, the ServerIron ADX does perform address translation for connections that the server initiates on ports that are bound to a VIP on the ServerIron ADX.
Reverse NAT works with any port number you use for binding the real server to the VIP. However, TCP and UDP traffic initiated by a real server uses a source port that is chosen by the server when the traffic is sent. As a result, it is not easy to predict the source port numbers the real server will use. You can ensure that the ServerIron ADX translates the source address of the traffic by binding the real server to a VIP using the “default” port. For example, if you configure VIP1 and bind it to real server RS1 using the default port, the ServerIron ADX translates the source IP address in all TCP and UDP traffic initiated by RS1 from the real server’s IP address into the VIP address.
Even when Reverse NAT is enabled, the ServerIron ADX does not translate the source address for traffic that the real server initiates over ports that are not bound to a VIP.
If you bind a real server to more than one VIP, the ServerIron ADX will use the address of the VIP that is bound to the server using the default port. For example, if you bind a real server to VIP1 using TCP port 80 and bind the same server to VIP2 using the default port, the ServerIron ADX always uses VIP2 for Reverse NAT.
The server reverse-nat command is disabled by default.
The commands in this example create real server R1 and VIPs VIP1 and VIP2. VIP1 is bound to RS1 using TCP port 80 (HTTP). VIP2 is bound to RS1 using the default port. When RS1 initiates TCP or UDP traffic, the ServerIron ADX translates the source IP address from 10.10.10.1 to 192.168.1.69. The ServerIron ADX uses VIP2’s IP address instead of VIP1’s IP address for Reverse NAT because VIP2 is bound using the default port.
A ServerIron ADX can use a virtual server address as a dynamic NAT address for real servers. This enables the use of virtual server IP address for outbound connections from real servers.
