Cisco 2811 , servers behind NAT not accesible from inside

Unanswered Question
Apr 5th, 2008

Hi ,

I have the following problem:

The servers are given public ip addresses so to be available from outside. It works just fine but when clients that are on the same network e.g.

10.0.0.0/16 want to connect to them via public address 78.x.x.x connection is refused. Seems silly cause I can ping the servers from these hosts. Moreover all can connect to the servers over inside network 10.0.0.0/16.

I wasted 6h looking for a solution and nothing.

I hace 2811 router and it's all i have - I do not have internal dns,

I would appreciate your help,

Gabriel

config:

no aaa new-model

!

resource policy

!

!

!

ip cef

no ip dhcp use vrf connected

no ip dhcp conflict logging

ip dhcp excluded-address 10.2.0.0 10.255.255.255

ip dhcp excluded-address 10.0.0.1 10.0.255.255

!

ip dhcp pool mypool

network 10.0.0.0 255.0.0.0

dns-server 10.0.0.254

default-router 10.0.0.254

lease 7

!

!

ip name-server 213.xxx.xxx.xxx

ip name-server 82.xxx.xxx.xxx

!

!

!

voice-card 0

no dspfarm

!

interface FastEthernet0/0

ip address 78.xxx.xxx.xxx 255.255.255.224

ip access-group inbound in

ip access-group outbound out

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.0.0.254 255.0.0.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

ip route 0.0.0.0 0.0.0.0 78.xxx.xxx.xxx

!

!

ip http server

no ip http secure-server

ip dns server

ip nat pool mypool 78.xxx.xxx.xxx 78.xxx.xxx.xxx netmask 255.255.255.224

ip nat inside source list 1 pool mypool overload

ip nat inside source static 10.0.0.1 xxx.xxx.xxx.98

ip nat inside source static 10.0.0.2 xxx.xxx.xxx.99

!

ip access-list extended inbound

permit tcp any host xxx.xxx.xxx.98 eq www

permit tcp any host xxx.xxx.xxx.98 eq 5544

permit tcp any host xxx.xxx.xxx.98 eq ftp

permit tcp any host xxx.xxx.xxx.98 eq smtp

permit tcp any host xxx.xxx.xxx.98 eq 443

permit tcp any host xxx.xxx.xxx.99 eq 5545

permit tcp any host xxx.xxx.xxx.126 eq telnet

permit udp any eq domain any

evaluate nattraffic

ip access-list extended outbound

permit ip any any reflect nattraffic

!

access-list 1 permit 10.0.0.0 0.255.255.255

snmp-server community public RO

!

!

!

!

!

dnsix-nat source 10.0.0.254

!

control-plane

!

x.x.x.98 and 99 are the public addresses of the servers and

10.0.0.1 and 10.0.0.2 their internals ( there are quite a few services on them )

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
simon.birtles Sat, 04/05/2008 - 13:54

Gabriel,

If I understand correctly you want a host on the inside (e.g 10.0.0.1) to connect to destination 77.x.x.98 (real addr 10.0.0.98), by using NAT to translate the destination from 77.x.x.98 to 10.0.0.98.

What you are attempting to do here is Source & Destination NAT on the same interface (inbound & outbound), this is not possible in this case.

The ICMP replies you recieve are from the NAT router and not from the destination server. Use 'debug ip icmp' on the NAT router to see the ICMP return created by the router.

The destination address does not get translated, if you try a connection to 77.x.x.98 www from inside and look at 'sh ip nat trans' and 'debug ip packet' (use an acl filter !!) you will see that your source addr has been translated (due to PAT config) but not your destination addr, the dest will still be the 77.x.x.98 address, not the local 10.x.x.98 address.

You say you don't have an internal DNS, IOS has an inbuilt DNS which you could use for internal requests and have other requests (non authoritive) forwarded on to external DNS.

Regards,

Simon

gstarczewski Sun, 04/06/2008 - 14:27

Well to be precise Simon it is that :

I want the hosts behind NAT - all of them, to be able to reach others in the internal network via public addresses so for example assuming I have the web server 10.0.0.1 which is translated -> 79.10.0.1 , Now from outside I can reach him by http://79.10.0.1 and from inside http://10.0.0.1 ,trying http://79.10.0.1 from host e.g. 10.0.0.2 fails! If I can set it up somehow (DNS alias?) I would be grateful for any hints,

Regards,

Gabriel

simon.birtles Mon, 04/07/2008 - 09:10

Gabriel,

That's what I thought you were trying to do. As far as DNS alias on IOS, DNS is translated using static NAT but again not on the same interface, which is where we get the problem, and no specific DNS alias/doctoring as on the PIX/ASA.

Can I ask why you want your inside users to use the public address ?, is this an application requirement ?

Can your users use a url instead ?

Would a DNS resolver be a solution ? - As I mentioned you could have your IOS box running DNS and forward DNS requests to your ISP/?? DNS on the internet for resolution of hosts on the public internet.

There are some other options such as NAT on a stick, two internal subnets from subinterfaces, but these both requires readdressing internally which I assume you want to avoid ?

Regards,

gstarczewski Mon, 04/07/2008 - 22:59

No ,if I can avoid DNS it would be fine for I have an initial setup and readressing is ok. I do not have a dns server and I would prefer not to use router for that purpose as I heard it can slow down the network. Users on the internal network have to access web site via domain name e.g. http://mysite.com and e-mail servers also.

How to do two way nat ?

gstarczewski Tue, 04/08/2008 - 00:22

I did setup it with dns on the router:

Now I can do:

$telnet site.com 80

from inside host and i open the connection successfully but when I issue:

GET /

I get 302 error file moved to x1.site-xxx.com

Issuing the same from outside works fine server returns root document

Is it router or server problem?

Actions

This Discussion