Can be posibble this with PBR ?

Answered Question
Dec 29th, 2009

Hi Folks,

Actually I got a web server inside of my network, I got a 1760 router with 2 ADSL connection. The web is reachable from internet through the router's public ip address that we rent from the ISP (We got a public domain name too with this IP). What I want to do in my router is that any packet destinated for the public ip address (WAN interface) of my router  be switched automatically to the web server ip address (private ip address) without crossing the WAN connection to make the petition to the public dns, I don't know if this can be done using PBR or any other method.

Regards,

Francis

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 6 years 9 months ago

Hello Francis,

this can be made on different modes and at a different level:

DNS:

your FQDN www.domainname.xx can be solved to private ip address of the server: traffic stays on the inside interface no NAT is triggered.

complex NAT and/or PBR:

users solve the www.domainname.xx in the public address of WAN interface or the public address of server as used in the outside world.

>> that any packets arriving from my routers' internal network destinated  to the routers wan interface be sent back to the web server in the  internal network,

it is complex, because we need to avoid that user ip address is natted too!

I don't want to say that it cannot be done, but it is complex.

a PBR rule applied on the inside interface could redirect the traffic to the internal server but it cannot change the destination address to the effective private ip address of the server.

I see a section on route-maps support for outside to inside

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv.html#wp1085934

but there are restrictions a dedicated public IP address has to be associated to the internal server, PAT is not supported.

I see first solution at DNS level  as the better one, but I understand it could be handy to do what you would like to achieve.

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Francis Garcia Wed, 03/03/2010 - 12:13

Hi,

What I forgot to say is that the packets that I want to redirect are the packets that comes from the internal network, I know that I can use PAT for solving the out to in packets, but the idea behind this is that any packets arriving from my routers' internal network destinated to the routers wan interface be sent back to the web server in the internal network, this is because I have a domain name, suppose domain.com, and  I want that the internal users use the same internet domain name, inside and outside of the network. I don't know If u can understand what I say, but I had made the PAT and It's working fine from internet, but when I try to access the same internet domain name from the internal network It fails.

Regards,

Francis

Correct Answer
Giuseppe Larosa Thu, 03/04/2010 - 05:00

Hello Francis,

this can be made on different modes and at a different level:

DNS:

your FQDN www.domainname.xx can be solved to private ip address of the server: traffic stays on the inside interface no NAT is triggered.

complex NAT and/or PBR:

users solve the www.domainname.xx in the public address of WAN interface or the public address of server as used in the outside world.

>> that any packets arriving from my routers' internal network destinated  to the routers wan interface be sent back to the web server in the  internal network,

it is complex, because we need to avoid that user ip address is natted too!

I don't want to say that it cannot be done, but it is complex.

a PBR rule applied on the inside interface could redirect the traffic to the internal server but it cannot change the destination address to the effective private ip address of the server.

I see a section on route-maps support for outside to inside

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv.html#wp1085934

but there are restrictions a dedicated public IP address has to be associated to the internal server, PAT is not supported.

I see first solution at DNS level  as the better one, but I understand it could be handy to do what you would like to achieve.

Hope to help

Giuseppe

Francis Garcia Thu, 03/04/2010 - 08:18

Hi Giuseppe,

I tried a couple of months ago creating a new entry in the dns zone pointing to itself; when anyone in the network made a petition to the internet domain It got the response from the web server's private ip address and It worked fine, because this is server is the DNS server in the network too. The why behind this question is because I want to make a DMZ network for locating a mail server and other services, and I want to redirect back the traffic. This is because I got roaming users with laptops and I want to avoid the headache of being changing the SMTP and POP3 settings everytime that some of them enter into the internal network.


What i was thinking is to dedicate an standalone circuit for this service, HDSL with a public subnet and then locate the email server behind a firewall that have a public ip address and can make PAT and filtering, in the other hand add a fastethernet module to my router and set up one of the public ip address of the subnet to my router's fastethernet module for fast routing of the email traffic. In this way the external and internal users can reach the email server, no matter where they are located. If u have any other advice I'll be welcome.

Regards,

Francis

Actions

This Discussion