Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3595
Views
1
Helpful
8
Replies

Accessing local server behind NAT by using single public IP and FQDN.

Go to solution
andyba777
Level 1
Level 1

‎12-09-2007 09:21 AM - edited ‎03-05-2019 07:53 PM

I've googled and searched for a week now trying to find out how I can access my server from the internal network. The server is statically port NATed from my one public IP to an address on VLAN1.

I would like to reach this server using the public IP from VLAN2 (using the domain name (FQDN)). Is there any solution to this? The router I had before starting with Cisco automatically supported this. I've found out that this type of operation is probably called "bi-directional NAT" or "Two-way NAT".

Unfortunately I've been unable to find examples of this for Cisco IOS without using split-DNS. I've got a Cisco 1801-router.

Help would be greatly appreciated! :)

-André

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎12-09-2007 04:49 PM

You need to configure a NAT Virtual Interface:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hiad_c/ch20/ntbaddrs.htm#wp1084652

The problem is the packet never leaves the router via the egress interface where the ip nat outside is located so the source is never translated, the destination IP is locally connected.

I haven't tested this but according to the description, it should work. Post back with results.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
darrenj
Level 1
Level 1

‎12-09-2007 10:52 AM

Hey Andre.

OK, so you have configured your VLAN 1 interface as inside, and public-facing interface outside? You have also configured the VLAN 2 interface as outside right? So that the router knows to NAT.

Can you post your current config so we can look at it properly.

Dazzler

0 Helpful

Go to solution
andyba777
Level 1
Level 1
In response to darrenj

‎12-09-2007 01:36 PM

Hi Dazzler,

An additional important feature is that both Vlans needs to be able to reach the internet by means of NAT. It would also be nice if the Vlan1 could have the same feature as Vlan2 when it comes to reaching the server with FQDN. Hope this is not too much too ask for :)

This config has some configurations that are not currently in use. I've deleted some config lines that are not informative.

version 12.4

resource policy

!

no ip source-route

!

ip cef

ip tcp synwait-time 10

!

no ip bootp server

!

interface Loopback0

ip address 192.168.1.1 255.255.255.252

ip nat inside

!

interface FastEthernet0

description $ETH-WAN$$FW_OUTSIDE$

ip address dhcp client-id FastEthernet0

ip nbar protocol-discovery

ip nat outside

ip route-cache flow

duplex auto

speed auto

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

switchport access vlan 2

!

interface FastEthernet5

switchport access vlan 2

!

interface FastEthernet6

switchport access vlan 2

!

interface FastEthernet7

switchport access vlan 2

!

interface FastEthernet8

switchport access vlan 2

!

interface Vlan1

description $FW_INSIDE$

ip address 10.1.0.1 255.255.255.0

ip nat inside

ip route-cache flow

!

interface Vlan2

description $FW_INSIDE$

ip address 10.2.0.1 255.255.255.0

ip nat inside

ip route-cache flow

!

router rip

network 10.0.0.0

no auto-summary

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0

!

ip nat inside source list 1 interface FastEthernet0 overload

ip nat inside source static tcp 10.1.0.5 22 interface FastEthernet0 22

ip nat inside source static tcp 10.1.0.5 53 interface FastEthernet0 53

ip nat inside source static tcp 10.1.0.5 443 interface FastEthernet0 443

ip nat inside source static tcp 10.1.0.5 143 interface FastEthernet0 143

ip nat inside source static tcp 10.1.0.5 80 interface FastEthernet0 80

ip nat inside source static udp 10.1.0.5 53 interface FastEthernet0 53

ip nat inside source static tcp 10.1.0.5 25 interface FastEthernet0 25

ip nat inside source static tcp 10.1.0.5 8080 interface FastEthernet0 8080

ip nat inside source static tcp 10.1.0.5 993 interface FastEthernet0 993

!

logging trap debugging

access-list 1 permit 10.1.0.0 0.0.0.255

access-list 1 permit 10.2.0.0 0.0.0.255

access-list 2 permit 10.1.0.0 0.0.0.255

access-list 2 permit 10.2.0.0 0.0.0.255

access-list 2 deny any

access-list 10 permit 10.2.0.0 0.0.0.255

access-list 11 permit 10.1.0.0 0.0.0.255

access-list 12 permit 10.2.0.0 0.0.0.255

access-list 100 permit tcp 10.1.0.0 0.0.0.255 host 10.1.0.1 eq telnet

access-list 100 permit tcp 10.1.0.0 0.0.0.255 host 10.1.0.1 eq www

access-list 100 permit tcp 10.1.0.0 0.0.0.255 host 10.1.0.1 eq cmd

access-list 100 deny tcp any host 10.1.0.1 eq telnet

access-list 100 deny tcp any host 10.1.0.1 eq 22

access-list 100 deny tcp any host 10.1.0.1 eq www

access-list 100 deny tcp any host 10.1.0.1 eq 443

access-list 100 deny tcp any host 10.1.0.1 eq cmd

access-list 100 deny udp any host 10.1.0.1 eq snmp

access-list 100 permit ip any any

access-list 101 permit ip 10.1.0.0 0.0.0.255 any

access-list 101 permit ip 10.2.0.0 0.0.0.255 any

access-list 102 permit tcp 10.2.0.0 0.0.0.255 host 10.2.0.1 eq telnet

access-list 102 permit tcp 10.2.0.0 0.0.0.255 host 10.2.0.1 eq www

access-list 102 permit tcp 10.2.0.0 0.0.0.255 host 10.2.0.1 eq cmd

access-list 102 deny tcp any host 10.2.0.1 eq telnet

access-list 102 deny tcp any host 10.2.0.1 eq 22

access-list 102 deny tcp any host 10.2.0.1 eq www

access-list 102 deny tcp any host 10.2.0.1 eq 443

access-list 102 deny tcp any host 10.2.0.1 eq cmd

access-list 102 deny udp any host 10.2.0.1 eq snmp

access-list 102 permit ip any any

access-list 165 permit ip any host x.x.x.165

access-list 177 permit icmp any any

route-map Nat-loop permit 10

match ip address 165

set ip next-hop 192.168.1.1 192.168.1.2

!

Thank you,

-André

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎12-09-2007 04:49 PM

You need to configure a NAT Virtual Interface:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hiad_c/ch20/ntbaddrs.htm#wp1084652

The problem is the packet never leaves the router via the egress interface where the ip nat outside is located so the source is never translated, the destination IP is locally connected.

I haven't tested this but according to the description, it should work. Post back with results.

0 Helpful

Go to solution
andyba777
Level 1
Level 1
In response to Edison Ortiz

‎12-10-2007 11:39 AM

Thank you for your reply.

I'm kinda new to networking so this has been a really good experience for me. I've learned a lot, but still I'm not even close to having the full picture.

The link you posted tells me how to configure NAT Virtual Interfaces, but it does not tell how to configure the vrf for this sort of configuration. Could you please point me in the right direction? I've attached my current configuration where I've made two vrf (I'm not sure if the rd's are correct and if I need the route-target settings), two Loopback interfaces and one Virtual-Template.

Thank you,

-André

Preview file
5 KB
0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to andyba777

‎12-10-2007 11:44 AM

Since you are new to networking, I recommending starting with baby-steps. Based on your config, I don't see the need for configuring VRFs.

0 Helpful

Go to solution
andyba777
Level 1
Level 1
In response to Edison Ortiz

‎12-10-2007 12:21 PM

Well, the only thing I need is to reach my server by using the domain name (FQDN). So whatever can get me there...

Best regards,

-André

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to andyba777

‎12-10-2007 12:35 PM

...And the link I posted should help you on this task.

Another option is configuring an internal DNS server and create the same domain name. Create a 'A' host for that server pointing to the internal IP and change your DHCP scope for your internal network to point to that DNS instead of the external DNS.

Go to solution
andyba777
Level 1
Level 1
In response to Edison Ortiz

‎12-12-2007 11:31 AM

Here is the solution to the problem:

Use of the NAT Virtual Interface (NVI). Use of this skips the need for designating an interface as either inside or outside.

1. Define the interfaces as "ip nat enable"

interface FastEthernet0

description $FW_OUTSIDE$$ETH-WAN$

ip address dhcp client-id FastEthernet0

ip nbar protocol-discovery

ip nat enable

ip route-cache flow

duplex auto

speed auto

service-policy output SDM-QoS-Policy-1

interface Vlan1

description $FW_INSIDE$

ip address 10.1.0.1 255.255.255.0

ip access-group 100 in

ip nat enable

interface Vlan2

description $FW_INSIDE$

ip address 10.2.0.1 255.255.255.0

ip access-group 102 in

ip nat enable

Then define the NATed ports for incoming traffic, and the first line for outgoing internet traffic.

ip nat source list 1 interface FastEthernet0 overload

ip nat source static tcp 10.1.0.5 25 interface FastEthernet0 25

ip nat source static udp 10.1.0.5 53 interface FastEthernet0 53

ip nat source static tcp 10.1.0.5 80 interface FastEthernet0 80

ip nat source static tcp 10.1.0.5 143 interface FastEthernet0 143

ip nat source static tcp 10.1.0.5 443 interface FastEthernet0 443

ip nat source static tcp 10.1.0.5 53 interface FastEthernet0 53

ip nat source static tcp 10.1.0.5 8080 interface FastEthernet0 8080

ip nat source static tcp 10.1.0.5 22 interface FastEthernet0 22

Define who should get to use the NATed overload statement:

access-list 1 permit 10.1.0.0 0.0.0.255

access-list 1 permit 10.2.0.0 0.0.0.255

Best regards,

-André

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card