NAT and coming from the inside

Unanswered Question
Mar 10th, 2009
User Badges:

Hi there,


I am trying to do something that worked out of the box on our old Netopia equipment, but does not seem to work on the SR520:


SR520 has two sides

ADSL (outside)
VLAN75 (inside)


On the inside is one webserver: 192.168.75.3

On the inside are several clients

The SR520 does NAT on port 80 to direct that traffic to the 192.168.75.3

For discussion, let's say the outside IP address is 1.2.3.4


Now, this all works great if we come from the outside; both http://1.2.3.4/ and http://domainname/

work without a hitch.


But, if a client tries to connect from the inside to http://1.2.3.4/ or http://domainname/ nothing happens.

The traffic disappears somewhere.


We were expecting this to also work (just as it did on other firewall/NAT equipment)


Is there anybody with an answer to this question?


Eljakim

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
addis Tue, 03/10/2009 - 14:32
User Badges:

This is a potentially tricky scenario.


IP transactions are processed differently depending upon whether the packet is going inside to outside or outside to inside.


Inside to outside translation occurs after routing.


Outside to inside translation occurs before routing.


There is a chance that a routing problem exist before a translation occurs.


You may try:


(1) show ip route   ---   Make sure the routing tables seem correct

(2) show ip nat translations  ---  Attempt to connect and see what translation debugs show up


This is an issue with NAT, and not the SR520 specifically.

eljakimit Fri, 03/13/2009 - 15:49
User Badges:

And the contents of the nat translation table.

This is while doing two things:

1) making a connection from an outside server to our IP address on :22

2) making a connection from an inside machine to our IP address on :22


The inside machine is 192.168.75.14

The :22 NAT mapping goes to 192.168.75.3


I have removed our IP addresses from the list, and only the :22 lines are shown.


Is this a firewall issue somehow? Is the firewall blocking the connection from inside to inside?


Eljakim


SR520#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp OUR_IP:22  192.168.75.3:22    192.168.75.14:2162 192.168.75.14:2162
tcp OUR_IP:22  192.168.75.3:22    OUTSIDE_SERVER:44049 OUTSIDE_SERVER:44049
tcp OUR_IP:22  192.168.75.3:22    ---                ---




eljakimit Fri, 03/13/2009 - 15:41
User Badges:

The contents of the routing table:


SR520#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route


Gateway of last resort is 0.0.0.0 to network 0.0.0.0


C    192.168.75.0/24 is directly connected, Vlan75
S    192.168.10.0/24 [1/0] via 192.168.75.9
     195.190.249.0/32 is subnetted, 1 subnets
C       195.190.249.28 is directly connected, Dialer0
     10.0.0.0/24 is subnetted, 2 subnets
S       10.1.10.0 [1/0] via 192.168.75.9
S       10.1.1.0 [1/0] via 192.168.75.9
     OUR_IP_NET/32 is subnetted, 1 subnets
C       OUR_IP_ADDRESS is directly connected, Dialer0
S*   0.0.0.0/0 is directly connected, Dialer0

Darryl Tyson Fri, 03/13/2009 - 18:33
User Badges:

Eljakim,


On the Domain name issue, sounds like you are after a DNS rewrite.  I think this is supported on NAT commands not PAT Commands.  You would have to use


ip nat inside source static ip 192.168.75.3 interface Dialer0 (or similar)




instead of:

ip nat inside source static tcp 192.168.75.3 80 interface Dialer0 80

ip nat inside source static tcp 192.168.75.3 22 interface Dialer0 22


this I am sure will have other repercussions.


Cheers


Darryl.



eljakimit Sat, 03/14/2009 - 01:33
User Badges:

Hi Darryl,


it's not a domain name rewrite that I want to do! And I definitely don't want all traffic

to go to 192.168.75.3.


I just don't want my users to have to remember to change their settings based on

whether they're inside or outside the office.


I have a feeling that this is a firewall rule issue somehow, and that it's related

to my other issue, https://www.myciscocommunity.com/thread/1773.


Maybe it'll be resolved once I figure out how to resolve the other issue.


Eljakim

Moderator Tue, 03/17/2009 - 07:44
User Badges:

Hi Eljakim,


Did you open a case from TAC as suggested on your other thread? If solving your other issue does not help this one as well, please let us know.


Thank you,


Cisco Moderation Team

eljakimit Tue, 03/17/2009 - 08:08
User Badges:

Hi moderator,


unfortunately I have not been able to open a TAC case yet.  See Incident: 090311-001943 which has been open for a week now. It appears as though the web-team is unable to help with the Cisco website in making my way through it. I am still hoping for answers...


Once I have a TAC I'll let you know here. Once there is a solution, I'll also post the solution.


Eljakim

weeksgroove Tue, 05/26/2009 - 05:45
User Badges:

So it sounds like this can be resolved faily quickly with some modification to your INternal DNS Server.

First, All of your clients MUST point to an internal DNS server for primary Name Resolution. If not, you need to do this.


Second.  Create a new Foreward Lookup Zone on your Internal DNS server for

Add an A record for host.domain.name and point it to 192.168.75.3.


This should fix your issue as your internal Clients will no longer try to go out to the internet and back in just to reach the server that's sittin in hte closet down the hall.  You should really never try to loop traffic like that.  It will only cause issues.


HTH


- Groove

eljakimit Mon, 06/22/2009 - 11:29
User Badges:

I think I'll just open a TAC.


The issue is:

a) we run no internal DNS (and don't want to go for tricks where the IP address that is returned for a domain name is different when inside the firewall compared to outside)

b) we have many different consultants running in and out of our office, so modifying the hosts file also won't work


It used to work on other platforms, so I guess it is possible.


(And yes, if I sound skeptical: last time we asked something 'hard' we received an extensive explanation

in the TAC as to why what we wanted was impossible, and that was just the way TCP/IP worked... It

turned out that it was something that worked immediately after we upgrade the SR520 firmware)


Anyway, thanks for all your reponses! Once I know how to do this I'll post a solution.


Eljakim

Actions

This Discussion

Related Content