Web host not viewable using public address from private side

Unanswered Question
May 5th, 2009

This has bugged me for a while. A vendor manages our Internet gateway, it has an outside public mapped to an inside private for port 80 etc access. When I use http://(inside private IP) the main page appears, but when I use http://(public address), I get dead air. The vendor tells me that is a security feature in the router that cannot be circumvented, and I just need to always use the inside private address to access the web server when I'm located inside the private network.

I'm not looking for a syntactically correct method for curing this.. I'd like to know, in general, if it is possible to configure the router to allow access to the public address from the private network, the general method, and maybe some keywords or article links.

Thanks a bunch!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Tue, 05/05/2009 - 07:57

Generally, if it's a firewall, it won't support hairpinning which is what you're asking about. If you have a dns server in-house, you may want to add a host for the inside address or add a host entry in your hosts file. What type of router is this?

Pros/Cons for adding entries in DNS server include you would need one for public translations and one for private addressing. If you don't route your internet addresses through owning your own public dns, then you should be okay to add it internal to point to the internal address. The latter option of creating an entry in the hosts file poses a problem for people with laptops. The hosts file is checked before dns servers, and if the entry exists, it will try to hit it. The problem with laptops is - they move. :) They won't be on your network all of the time and will look for your public web page at your internal address. Unless you force users to vpn into your network before getting on the internet, the latter won't be a viable option for mobile users.



dzug76255 Tue, 05/05/2009 - 08:37


The router is a 1700 series, belonging to us but managed by them. It contains the public/private mapping. Beyond that is more firewall owned by them.

I didn't want to do the DNS trick unless there really was no router solution. Yes local hosts entries are avoided here. If I do the DNS trick might there still be a problem with the laptops(mobiles) if the DNS results are cached in the laptops?

John Blakley Tue, 05/05/2009 - 08:44

You might, but generally it'll clear out. You might try something, although I've never done it. If you have access to the router, you might want to try to configure a route map for that public address, and then put the next hop as the internal address that's on the web server.

For example (and ALL in theory):

WEB server:

Public IP:

access-list 101 permit tcp any host eq 80

route-map PUBLICWEB permit 10

match ip address 101

set ip next-hop

On the lan interface:

int fa0/1

ip policy route-map PUBLICWEB

I'd be interested to see if it works. :)


dzug76255 Tue, 05/05/2009 - 12:25

hmm.. If the receiving pc device isn't a router (or running some routing program), would it even respond? That would suprise me (tax what I thought I knew too.. which isn't much)

Thanks again.

thotsaphon Tue, 05/05/2009 - 12:42


Please correct me if I'm wrong.

What happens when you are trying to connect the server by using the public ip address. Well, You may think about you are sending SYN packet to that host via a public ip address. Assuming that NAT is working correctly(In case you are using the public ip address on the wan interface on the router. So you are connecting the router with tcp/80. Not your server. Nat didn't do anything). Well, the server will respond you with the private ip address. WOW, How can we complete this session? Because you start sending to the public ip address but get a response with a private ip address.

Okay, You may think about how to force to the router to inspect the packet and response you with the private ip address instead. I heard that ASA can do this with DNS doctoring features. I'm not sure that C1700 can do.

Internal DNS is what you may be interested in. (grin)




This Discussion