12-29-2009 07:31 AM - edited 03-04-2019 07:04 AM
Hi Folks,
Actually I got a web server inside of my network, I got a 1760 router with 2 ADSL connection. The web is reachable from internet through the router's public ip address that we rent from the ISP (We got a public domain name too with this IP). What I want to do in my router is that any packet destinated for the public ip address (WAN interface) of my router be switched automatically to the web server ip address (private ip address) without crossing the WAN connection to make the petition to the public dns, I don't know if this can be done using PBR or any other method.
Regards,
Francis
Solved! Go to Solution.
03-04-2010 05:00 AM
Hello Francis,
this can be made on different modes and at a different level:
DNS:
your FQDN www.domainname.xx can be solved to private ip address of the server: traffic stays on the inside interface no NAT is triggered.
complex NAT and/or PBR:
users solve the www.domainname.xx in the public address of WAN interface or the public address of server as used in the outside world.
>> that any packets arriving from my routers' internal network destinated to the routers wan interface be sent back to the web server in the internal network,
it is complex, because we need to avoid that user ip address is natted too!
I don't want to say that it cannot be done, but it is complex.
a PBR rule applied on the inside interface could redirect the traffic to the internal server but it cannot change the destination address to the effective private ip address of the server.
I see a section on route-maps support for outside to inside
http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv.html#wp1085934
but there are restrictions a dedicated public IP address has to be associated to the internal server, PAT is not supported.
I see first solution at DNS level as the better one, but I understand it could be handy to do what you would like to achieve.
Hope to help
Giuseppe
12-29-2009 08:49 AM
Hello Francis,
I would say all you need is a NAT static entry
ip nat inside source static
ip nat inside source static {esp local-ip interface type number | local-ip global-ip} [extendable | mapping-id map-id |
http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_nat.html#wp1041067
Hope to help
Giuseppe
03-03-2010 12:13 PM
Hi,
What I forgot to say is that the packets that I want to redirect are the packets that comes from the internal network, I know that I can use PAT for solving the out to in packets, but the idea behind this is that any packets arriving from my routers' internal network destinated to the routers wan interface be sent back to the web server in the internal network, this is because I have a domain name, suppose domain.com, and I want that the internal users use the same internet domain name, inside and outside of the network. I don't know If u can understand what I say, but I had made the PAT and It's working fine from internet, but when I try to access the same internet domain name from the internal network It fails.
Regards,
Francis
03-04-2010 05:00 AM
Hello Francis,
this can be made on different modes and at a different level:
DNS:
your FQDN www.domainname.xx can be solved to private ip address of the server: traffic stays on the inside interface no NAT is triggered.
complex NAT and/or PBR:
users solve the www.domainname.xx in the public address of WAN interface or the public address of server as used in the outside world.
>> that any packets arriving from my routers' internal network destinated to the routers wan interface be sent back to the web server in the internal network,
it is complex, because we need to avoid that user ip address is natted too!
I don't want to say that it cannot be done, but it is complex.
a PBR rule applied on the inside interface could redirect the traffic to the internal server but it cannot change the destination address to the effective private ip address of the server.
I see a section on route-maps support for outside to inside
http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv.html#wp1085934
but there are restrictions a dedicated public IP address has to be associated to the internal server, PAT is not supported.
I see first solution at DNS level as the better one, but I understand it could be handy to do what you would like to achieve.
Hope to help
Giuseppe
03-04-2010 08:18 AM
Hi Giuseppe,
I tried a couple of months ago creating a new entry in the dns zone pointing to itself; when anyone in the network made a petition to the internet domain It got the response from the web server's private ip address and It worked fine, because this is server is the DNS server in the network too. The why behind this question is because I want to make a DMZ network for locating a mail server and other services, and I want to redirect back the traffic. This is because I got roaming users with laptops and I want to avoid the headache of being changing the SMTP and POP3 settings everytime that some of them enter into the internal network.
What i was thinking is to dedicate an standalone circuit for this service, HDSL with a public subnet and then locate the email server behind a firewall that have a public ip address and can make PAT and filtering, in the other hand add a fastethernet module to my router and set up one of the public ip address of the subnet to my router's fastethernet module for fast routing of the email traffic. In this way the external and internal users can reach the email server, no matter where they are located. If u have any other advice I'll be welcome.
Regards,
Francis
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide