12-09-2007 09:21 AM - edited 03-05-2019 07:53 PM
I've googled and searched for a week now trying to find out how I can access my server from the internal network. The server is statically port NATed from my one public IP to an address on VLAN1.
I would like to reach this server using the public IP from VLAN2 (using the domain name (FQDN)). Is there any solution to this? The router I had before starting with Cisco automatically supported this. I've found out that this type of operation is probably called "bi-directional NAT" or "Two-way NAT".
Unfortunately I've been unable to find examples of this for Cisco IOS without using split-DNS. I've got a Cisco 1801-router.
Help would be greatly appreciated! :)
-André
Solved! Go to Solution.
12-09-2007 04:49 PM
You need to configure a NAT Virtual Interface:
The problem is the packet never leaves the router via the egress interface where the ip nat outside is located so the source is never translated, the destination IP is locally connected.
I haven't tested this but according to the description, it should work. Post back with results.
12-09-2007 10:52 AM
Hey Andre.
OK, so you have configured your VLAN 1 interface as inside, and public-facing interface outside? You have also configured the VLAN 2 interface as outside right? So that the router knows to NAT.
Can you post your current config so we can look at it properly.
Dazzler
12-09-2007 01:36 PM
Hi Dazzler,
An additional important feature is that both Vlans needs to be able to reach the internet by means of NAT. It would also be nice if the Vlan1 could have the same feature as Vlan2 when it comes to reaching the server with FQDN. Hope this is not too much too ask for :)
This config has some configurations that are not currently in use. I've deleted some config lines that are not informative.
version 12.4
resource policy
!
no ip source-route
!
ip cef
ip tcp synwait-time 10
!
no ip bootp server
!
interface Loopback0
ip address 192.168.1.1 255.255.255.252
ip nat inside
!
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0
ip nbar protocol-discovery
ip nat outside
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
switchport access vlan 2
!
interface FastEthernet5
switchport access vlan 2
!
interface FastEthernet6
switchport access vlan 2
!
interface FastEthernet7
switchport access vlan 2
!
interface FastEthernet8
switchport access vlan 2
!
interface Vlan1
description $FW_INSIDE$
ip address 10.1.0.1 255.255.255.0
ip nat inside
ip route-cache flow
!
interface Vlan2
description $FW_INSIDE$
ip address 10.2.0.1 255.255.255.0
ip nat inside
ip route-cache flow
!
router rip
network 10.0.0.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 10.1.0.5 22 interface FastEthernet0 22
ip nat inside source static tcp 10.1.0.5 53 interface FastEthernet0 53
ip nat inside source static tcp 10.1.0.5 443 interface FastEthernet0 443
ip nat inside source static tcp 10.1.0.5 143 interface FastEthernet0 143
ip nat inside source static tcp 10.1.0.5 80 interface FastEthernet0 80
ip nat inside source static udp 10.1.0.5 53 interface FastEthernet0 53
ip nat inside source static tcp 10.1.0.5 25 interface FastEthernet0 25
ip nat inside source static tcp 10.1.0.5 8080 interface FastEthernet0 8080
ip nat inside source static tcp 10.1.0.5 993 interface FastEthernet0 993
!
logging trap debugging
access-list 1 permit 10.1.0.0 0.0.0.255
access-list 1 permit 10.2.0.0 0.0.0.255
access-list 2 permit 10.1.0.0 0.0.0.255
access-list 2 permit 10.2.0.0 0.0.0.255
access-list 2 deny any
access-list 10 permit 10.2.0.0 0.0.0.255
access-list 11 permit 10.1.0.0 0.0.0.255
access-list 12 permit 10.2.0.0 0.0.0.255
access-list 100 permit tcp 10.1.0.0 0.0.0.255 host 10.1.0.1 eq telnet
access-list 100 permit tcp 10.1.0.0 0.0.0.255 host 10.1.0.1 eq www
access-list 100 permit tcp 10.1.0.0 0.0.0.255 host 10.1.0.1 eq cmd
access-list 100 deny tcp any host 10.1.0.1 eq telnet
access-list 100 deny tcp any host 10.1.0.1 eq 22
access-list 100 deny tcp any host 10.1.0.1 eq www
access-list 100 deny tcp any host 10.1.0.1 eq 443
access-list 100 deny tcp any host 10.1.0.1 eq cmd
access-list 100 deny udp any host 10.1.0.1 eq snmp
access-list 100 permit ip any any
access-list 101 permit ip 10.1.0.0 0.0.0.255 any
access-list 101 permit ip 10.2.0.0 0.0.0.255 any
access-list 102 permit tcp 10.2.0.0 0.0.0.255 host 10.2.0.1 eq telnet
access-list 102 permit tcp 10.2.0.0 0.0.0.255 host 10.2.0.1 eq www
access-list 102 permit tcp 10.2.0.0 0.0.0.255 host 10.2.0.1 eq cmd
access-list 102 deny tcp any host 10.2.0.1 eq telnet
access-list 102 deny tcp any host 10.2.0.1 eq 22
access-list 102 deny tcp any host 10.2.0.1 eq www
access-list 102 deny tcp any host 10.2.0.1 eq 443
access-list 102 deny tcp any host 10.2.0.1 eq cmd
access-list 102 deny udp any host 10.2.0.1 eq snmp
access-list 102 permit ip any any
access-list 165 permit ip any host x.x.x.165
access-list 177 permit icmp any any
route-map Nat-loop permit 10
match ip address 165
set ip next-hop 192.168.1.1 192.168.1.2
!
Thank you,
-André
12-09-2007 04:49 PM
You need to configure a NAT Virtual Interface:
The problem is the packet never leaves the router via the egress interface where the ip nat outside is located so the source is never translated, the destination IP is locally connected.
I haven't tested this but according to the description, it should work. Post back with results.
12-10-2007 11:39 AM
Thank you for your reply.
I'm kinda new to networking so this has been a really good experience for me. I've learned a lot, but still I'm not even close to having the full picture.
The link you posted tells me how to configure NAT Virtual Interfaces, but it does not tell how to configure the vrf for this sort of configuration. Could you please point me in the right direction? I've attached my current configuration where I've made two vrf (I'm not sure if the rd's are correct and if I need the route-target settings), two Loopback interfaces and one Virtual-Template.
Thank you,
-André
12-10-2007 11:44 AM
Since you are new to networking, I recommending starting with baby-steps. Based on your config, I don't see the need for configuring VRFs.
12-10-2007 12:21 PM
Well, the only thing I need is to reach my server by using the domain name (FQDN). So whatever can get me there...
Best regards,
-André
12-10-2007 12:35 PM
...And the link I posted should help you on this task.
Another option is configuring an internal DNS server and create the same domain name. Create a 'A' host for that server pointing to the internal IP and change your DHCP scope for your internal network to point to that DNS instead of the external DNS.
12-12-2007 11:31 AM
Here is the solution to the problem:
Use of the NAT Virtual Interface (NVI). Use of this skips the need for designating an interface as either inside or outside.
1. Define the interfaces as "ip nat enable"
interface FastEthernet0
description $FW_OUTSIDE$$ETH-WAN$
ip address dhcp client-id FastEthernet0
ip nbar protocol-discovery
ip nat enable
ip route-cache flow
duplex auto
speed auto
service-policy output SDM-QoS-Policy-1
interface Vlan1
description $FW_INSIDE$
ip address 10.1.0.1 255.255.255.0
ip access-group 100 in
ip nat enable
interface Vlan2
description $FW_INSIDE$
ip address 10.2.0.1 255.255.255.0
ip access-group 102 in
ip nat enable
Then define the NATed ports for incoming traffic, and the first line for outgoing internet traffic.
ip nat source list 1 interface FastEthernet0 overload
ip nat source static tcp 10.1.0.5 25 interface FastEthernet0 25
ip nat source static udp 10.1.0.5 53 interface FastEthernet0 53
ip nat source static tcp 10.1.0.5 80 interface FastEthernet0 80
ip nat source static tcp 10.1.0.5 143 interface FastEthernet0 143
ip nat source static tcp 10.1.0.5 443 interface FastEthernet0 443
ip nat source static tcp 10.1.0.5 53 interface FastEthernet0 53
ip nat source static tcp 10.1.0.5 8080 interface FastEthernet0 8080
ip nat source static tcp 10.1.0.5 22 interface FastEthernet0 22
Define who should get to use the NATed overload statement:
access-list 1 permit 10.1.0.0 0.0.0.255
access-list 1 permit 10.2.0.0 0.0.0.255
Best regards,
-André
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide