Accessing local server behind NAT by using single public IP and FQDN.

Answered Question
Dec 9th, 2007
User Badges:

I've googled and searched for a week now trying to find out how I can access my server from the internal network. The server is statically port NATed from my one public IP to an address on VLAN1.


I would like to reach this server using the public IP from VLAN2 (using the domain name (FQDN)). Is there any solution to this? The router I had before starting with Cisco automatically supported this. I've found out that this type of operation is probably called "bi-directional NAT" or "Two-way NAT".


Unfortunately I've been unable to find examples of this for Cisco IOS without using split-DNS. I've got a Cisco 1801-router.


Help would be greatly appreciated! :)


-André

Correct Answer by Edison Ortiz about 9 years 3 months ago

You need to configure a NAT Virtual Interface:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hiad_c/ch20/ntbaddrs.htm#wp1084652


The problem is the packet never leaves the router via the egress interface where the ip nat outside is located so the source is never translated, the destination IP is locally connected.


I haven't tested this but according to the description, it should work. Post back with results.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
darrenj Sun, 12/09/2007 - 10:52
User Badges:

Hey Andre.

OK, so you have configured your VLAN 1 interface as inside, and public-facing interface outside? You have also configured the VLAN 2 interface as outside right? So that the router knows to NAT.


Can you post your current config so we can look at it properly.


Dazzler

andyba777 Sun, 12/09/2007 - 13:36
User Badges:

Hi Dazzler,


An additional important feature is that both Vlans needs to be able to reach the internet by means of NAT. It would also be nice if the Vlan1 could have the same feature as Vlan2 when it comes to reaching the server with FQDN. Hope this is not too much too ask for :)


This config has some configurations that are not currently in use. I've deleted some config lines that are not informative.



version 12.4


resource policy

!

no ip source-route

!

ip cef

ip tcp synwait-time 10

!

no ip bootp server

!

interface Loopback0

ip address 192.168.1.1 255.255.255.252

ip nat inside

!

interface FastEthernet0

description $ETH-WAN$$FW_OUTSIDE$

ip address dhcp client-id FastEthernet0

ip nbar protocol-discovery

ip nat outside

ip route-cache flow

duplex auto

speed auto

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

switchport access vlan 2

!

interface FastEthernet5

switchport access vlan 2

!

interface FastEthernet6

switchport access vlan 2

!

interface FastEthernet7

switchport access vlan 2

!

interface FastEthernet8

switchport access vlan 2

!

interface Vlan1

description $FW_INSIDE$

ip address 10.1.0.1 255.255.255.0

ip nat inside

ip route-cache flow

!

interface Vlan2

description $FW_INSIDE$

ip address 10.2.0.1 255.255.255.0

ip nat inside

ip route-cache flow

!

router rip

network 10.0.0.0

no auto-summary

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0

!

ip nat inside source list 1 interface FastEthernet0 overload

ip nat inside source static tcp 10.1.0.5 22 interface FastEthernet0 22

ip nat inside source static tcp 10.1.0.5 53 interface FastEthernet0 53

ip nat inside source static tcp 10.1.0.5 443 interface FastEthernet0 443

ip nat inside source static tcp 10.1.0.5 143 interface FastEthernet0 143

ip nat inside source static tcp 10.1.0.5 80 interface FastEthernet0 80

ip nat inside source static udp 10.1.0.5 53 interface FastEthernet0 53

ip nat inside source static tcp 10.1.0.5 25 interface FastEthernet0 25

ip nat inside source static tcp 10.1.0.5 8080 interface FastEthernet0 8080

ip nat inside source static tcp 10.1.0.5 993 interface FastEthernet0 993

!

logging trap debugging

access-list 1 permit 10.1.0.0 0.0.0.255

access-list 1 permit 10.2.0.0 0.0.0.255

access-list 2 permit 10.1.0.0 0.0.0.255

access-list 2 permit 10.2.0.0 0.0.0.255

access-list 2 deny any

access-list 10 permit 10.2.0.0 0.0.0.255

access-list 11 permit 10.1.0.0 0.0.0.255

access-list 12 permit 10.2.0.0 0.0.0.255

access-list 100 permit tcp 10.1.0.0 0.0.0.255 host 10.1.0.1 eq telnet

access-list 100 permit tcp 10.1.0.0 0.0.0.255 host 10.1.0.1 eq www

access-list 100 permit tcp 10.1.0.0 0.0.0.255 host 10.1.0.1 eq cmd

access-list 100 deny tcp any host 10.1.0.1 eq telnet

access-list 100 deny tcp any host 10.1.0.1 eq 22

access-list 100 deny tcp any host 10.1.0.1 eq www

access-list 100 deny tcp any host 10.1.0.1 eq 443

access-list 100 deny tcp any host 10.1.0.1 eq cmd

access-list 100 deny udp any host 10.1.0.1 eq snmp

access-list 100 permit ip any any

access-list 101 permit ip 10.1.0.0 0.0.0.255 any

access-list 101 permit ip 10.2.0.0 0.0.0.255 any

access-list 102 permit tcp 10.2.0.0 0.0.0.255 host 10.2.0.1 eq telnet

access-list 102 permit tcp 10.2.0.0 0.0.0.255 host 10.2.0.1 eq www

access-list 102 permit tcp 10.2.0.0 0.0.0.255 host 10.2.0.1 eq cmd

access-list 102 deny tcp any host 10.2.0.1 eq telnet

access-list 102 deny tcp any host 10.2.0.1 eq 22

access-list 102 deny tcp any host 10.2.0.1 eq www

access-list 102 deny tcp any host 10.2.0.1 eq 443

access-list 102 deny tcp any host 10.2.0.1 eq cmd

access-list 102 deny udp any host 10.2.0.1 eq snmp

access-list 102 permit ip any any

access-list 165 permit ip any host x.x.x.165

access-list 177 permit icmp any any

route-map Nat-loop permit 10

match ip address 165

set ip next-hop 192.168.1.1 192.168.1.2

!


Thank you,

-André

Correct Answer
Edison Ortiz Sun, 12/09/2007 - 16:49
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

You need to configure a NAT Virtual Interface:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hiad_c/ch20/ntbaddrs.htm#wp1084652


The problem is the packet never leaves the router via the egress interface where the ip nat outside is located so the source is never translated, the destination IP is locally connected.


I haven't tested this but according to the description, it should work. Post back with results.

andyba777 Mon, 12/10/2007 - 11:39
User Badges:

Thank you for your reply.


I'm kinda new to networking so this has been a really good experience for me. I've learned a lot, but still I'm not even close to having the full picture.


The link you posted tells me how to configure NAT Virtual Interfaces, but it does not tell how to configure the vrf for this sort of configuration. Could you please point me in the right direction? I've attached my current configuration where I've made two vrf (I'm not sure if the rd's are correct and if I need the route-target settings), two Loopback interfaces and one Virtual-Template.


Thank you,

-André




Attachment: 
Edison Ortiz Mon, 12/10/2007 - 11:44
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Since you are new to networking, I recommending starting with baby-steps. Based on your config, I don't see the need for configuring VRFs.

andyba777 Mon, 12/10/2007 - 12:21
User Badges:

Well, the only thing I need is to reach my server by using the domain name (FQDN). So whatever can get me there...


Best regards,

-André

Edison Ortiz Mon, 12/10/2007 - 12:35
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

...And the link I posted should help you on this task.


Another option is configuring an internal DNS server and create the same domain name. Create a 'A' host for that server pointing to the internal IP and change your DHCP scope for your internal network to point to that DNS instead of the external DNS.

andyba777 Wed, 12/12/2007 - 11:31
User Badges:

Here is the solution to the problem:


Use of the NAT Virtual Interface (NVI). Use of this skips the need for designating an interface as either inside or outside.


1. Define the interfaces as "ip nat enable"


interface FastEthernet0

description $FW_OUTSIDE$$ETH-WAN$

ip address dhcp client-id FastEthernet0

ip nbar protocol-discovery

ip nat enable

ip route-cache flow

duplex auto

speed auto

service-policy output SDM-QoS-Policy-1


interface Vlan1

description $FW_INSIDE$

ip address 10.1.0.1 255.255.255.0

ip access-group 100 in

ip nat enable


interface Vlan2

description $FW_INSIDE$

ip address 10.2.0.1 255.255.255.0

ip access-group 102 in

ip nat enable


Then define the NATed ports for incoming traffic, and the first line for outgoing internet traffic.


ip nat source list 1 interface FastEthernet0 overload

ip nat source static tcp 10.1.0.5 25 interface FastEthernet0 25

ip nat source static udp 10.1.0.5 53 interface FastEthernet0 53

ip nat source static tcp 10.1.0.5 80 interface FastEthernet0 80

ip nat source static tcp 10.1.0.5 143 interface FastEthernet0 143

ip nat source static tcp 10.1.0.5 443 interface FastEthernet0 443

ip nat source static tcp 10.1.0.5 53 interface FastEthernet0 53

ip nat source static tcp 10.1.0.5 8080 interface FastEthernet0 8080

ip nat source static tcp 10.1.0.5 22 interface FastEthernet0 22


Define who should get to use the NATed overload statement:


access-list 1 permit 10.1.0.0 0.0.0.255

access-list 1 permit 10.2.0.0 0.0.0.255


Best regards,

-André

Actions

This Discussion