destination IP translation between 2 inside interface

Unanswered Question
Jul 16th, 2010

Hi, I just got a C800 series router running on static internet IP at the WAN port and having 2 VLANs as inside interface. Ports forwarding has defined for Internet to the application in order for Internet users to access the application. Due the application limitation, the client program has hardened with public IP to access the server. is there anyway that the user can access the the server thru public IP even though their connected to internal network? Currently, the user cannot access the server once they back to office unless change the reconfiguration the client software back to private ip. probably you will have a better view by refering to below.

WAN IP: 88.88.88.88

VLAN 10: 192.168.1.0/24 (SVRFARM)

VLAN 20: 192.168.2.0/24 (USER)

application server IP: 192.168.1.99/24

application client software harden with 88.88.88.88 TCP port 9090 to access from Internet

Port forwarding: 88.88.88.88 TCP port 9090 to 192.168.1.99 TCP port 9090 (allow user to access thru Internet)

User have to manual reconfiguration the client software from 88.88.88.88 to 192.168.1.99 once he is connected to VLAN 20.

I'm wondering is it posibble to use ip nat inside destination just to translate destination IP back to private ip for the traffic from VLAN 20 to VLAN 10?

hope that someone can help me... thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
manish arora Fri, 07/16/2010 - 11:57

Check for errors on your device , i think the user is not able to access the public ip because of Hairpinning.

can please check the logs for ip spoof denied messages or errors ?

Please post port redirection nat statement as i did this on a cisco asa , never on router , so i need to see it.

Thanks

Manish

edmand.hon Fri, 07/16/2010 - 20:33

Hi, you may refer the attachment for the overview diagram. below is the configuration. i see nothing from the router log. anyway to traslate the destination IP from inside to inside traffic? hope that you can help me us everytime the user back to office need to harden the client software to private ip in order to work at office. thanks.

Configuration:

==========

interface FastEthernet4
description SDSL Link
ip address 88.88.88.88 255.255.255.252
ip access-group DENY_ROGUE_ATTACK in
  ip nat outside
ip virtual-reassembly
duplex auto
speed auto

interface Vlan10
description Server Farm Segment
ip address 192.168.1.1 255.255.255.0
ip pim sparse-mode
ip nat inside

!
interface Vlan20
description User Segment
ip address 192.168.2.1 255.255.255.0
ip pim sparse-mode
ip nat inside

ip route 0.0.0.0 0.0.0.0 FastEthernet4

ip nat inside source list 80 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.99 9090 88.88.88.88 9090 extendable

access-list 80 remark Inside NAT Subnet
access-list 80 permit 192.168.1.0 0.0.0.255
access-list 80 permit 192.168.2.0 0.0.0.255

Attachment: 
stanleyb Fri, 07/16/2010 - 23:35

Edmand,

It appears that your best bet may be using DNS. Do you have internal DNS Server? Can your client be configured instead of IP to use a FQDN? If answer is Yes on both, then:

1. Register your public IP address (request with your ISP) with a unique FQDN (ex. app.company.com)

2. Add the new name into your internal DNS server records

3. Replace client's configuration from 192.168.1.99 or 88.88.88.88 to app.company.com.

Clients now will respond consistently same way and you don't have to change anything, whather they work from home or office. Keep in mund that if in the future you want to add more apps, then you may need more public IP addresses/fqdn registrations.

Lemeno if that solution works for you,

-Stan

stanleyb Fri, 07/16/2010 - 23:59

Hi,

In case you don't have DNS Server and your DHCP Server assigns router's interface for both Gateway and DNS, you can use your router as a DNS server to add a FQDN for  resolution. Here are the commands:

ip dns server
ip host app.company.com 192.168.1.99

Thats it,

-Stan

More details: http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_config_dns_ps6350_TSD_Products_Configuration_Guide_Chapter.html

edmand.hon Sat, 07/17/2010 - 00:11

Hi stan,

   currently, the user is running dhcp and i have configured dhcp setting that push ISP public DNS server to their laptop. if i use this method, i need to change the dhcp setting so that i will push vlan interface ip as their dns server while the router will become the rely?

stanleyb Sat, 07/17/2010 - 01:18

Ok,

In that case:

1. nslookup yr public IP

2. If it resolves, use that name as [app.company.com]

3. If not, request your ISP to associate your public IP address to an unique FQDN (ex. app.company.com)

4. Reconfigure DHCP server to assign primary DNS=192.168.2.1, secondary and tritery=Public DNS servers

5. Add the following commands to your router:

dns server
host
app.company.com 192.168.1.99
ip domain lookup
ip name-server
server-address1 [server-address2  ... server-address6]    <<<  don't add your local dns ip address here

6. Replace client's configuration from 192.168.1.99 or 88.88.88.88 to: app.company.com

In case of 88.88.88.88, app.company.com resolves by public dns to fqdn: ti300710a340-0088.bb.online.no

C:\Documents and Settings\Stanley>nslookup 88.88.88.88
Server:  cns.sanjose.ca.sanfran.comcast.net
Address:  68.87.76.182


Name:     ti300710a340-0088.bb.online.no
Address:  88.88.88.88

Questions is, can the client be configured to use FQDN instead of IP? If yes, (per above example) ponting to: "ti300710a340-0088.bb.online.no" should now work from both home and office.

-Stan

stanleyb Sat, 07/17/2010 - 01:39

Just to answer directly your question.


"is it posibble to use ip nat inside destination just to translate destination IP back to private ip for the traffic from VLAN 20 to VLAN 10?"


Not with the router. As an example, if you server is linux to internaly nat, coupled with a static route on your router should do. However Cisco can't static nat internal to internal (to my knowledge), hence I recommended dns solution that works everytime. Also see:http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml


Cheers,


-Stan

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Command

Action

ip nat inside source

·  Translates the source of IP packets that are   traveling inside to outside.

· Translates the destination of the IP packets   that are traveling outside to inside.

ip nat outside source

· Translates the source of the IP packets that   are traveling outside to inside.

·  Translates the destination of the IP packets   that are traveling inside to outside.

edmand.hon Sat, 07/17/2010 - 01:55

Hi Stan,

   Thanks for your great help.. let me try and probably enable DNS server at the router to have a static hostname redirect to private IP will be sufficient. Thanks you very much for your great idea

Actions

This Discussion