Can I use 1:1 NAT to disguise a single internal host?


  • I just need confirmation if this will work.

    I got an ADFS server that's a nightmare to TLS so I use HAProxy for it, it works on the outside because of NAT but internally –even if isolated on a different subnet– it's still fully routed. Using DNS I can divert its traffic towards a VIP where HAProxy+NAT will process it and redirect it back to the real host.

    I even mapped it out to make "an informed decision" (ha!):

    That's pretty much all I need to call it a day except that ADFS needs to contact domain controllers for federation, in doing so it'd do it revealing its real IP address triggering the DCs to update its DNS records as a result.

    I started doing this with outbound NAT until I realized I only know how to do one of the two trips. I should know it because I have the same setup (sort of) for a remote firewall, only in that case I'm using a transit network and each part of the [outbound] NAT is done on different devices not on the same.

    ( I mapped it out too, it got messy: )

    For a minute there I lost network connectivity when I didn't notice I replaced all outbound NAT (to the Internet) with the VIP address. (it was really more like an hour when somebody complained)

    Could I use 1:1 NAT to map VIP:host and still be able to intercept traffic with HAProxy on the VIP? It occurred to me while fixing the mistakes seeing outbound NAT actually has a destination field, it's not just blind like in a default gateway it may not the be same that 1:1 but it got me there, train-of-thought£#@fffsly.

    Thanks for your help!