Enable pinging WAN IP from ethernet clients

Answered Question
Aug 12th, 2010

Hello

I'm trying to enable access to web servers and other things from the lan using the WAN IP,

Currently pinging the wan ip does not reply.  External access to the resources is working correctly.

any help would be really appreciated. Thanks

Correct Answer by kathpric about 6 years 6 months ago

You could try using NAT virtual interface (NVI).  Instead of having the concept of inside and outside, you only enable NAT on the interface.

Interface BVI1

  ip nat enable

interface Dialer0

  ip nat enable

ip nat source static tcp 192.168.0.100 25 80.159.38.225 25

Notice you remove "inside" from "ip nat inside source..."

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Thu, 08/12/2010 - 14:50

James

Your question is not clear to me. When you say:" enable access to web servers and other things from the lan using the WAN IP" I am not clear whether the lan you refer to is the lan where the servers exist (in which case the communication would be direct and not involve the router) or whether the lan is remote somewhere. And if it is remote where is it?

It is also not clear what part the WAN IP plays in this.

You have not told us anything about the addressing being used (which could be part of the problem), you have not told us whether there is any access list filtering on either the interface where the servers are located or the WAN interface (which could certainly be part of the problem), or it could be a problem with routing (do the devices attempting to access the servers have correct routes to reach the servers or do the servers have routes to those devices so that responses can be returned), or it could possibly be a problem with Address Translation (which could also be part of the problem).

So if you can provide information to clarify the situation we might be able to give you better answers.

HTH

Rick

GovanJ221 Thu, 08/12/2010 - 15:17

Thanks for the reply. I'll try to expain it a little better.

We have a server with IP 192.168.0.100

Its accessible within the LAN using its local IP address and from the outside using the global ip. Thats not a problem

The problem is that the applications on the clients are configured to access the server using the global ip address but that is not accessible from within the LAN.

is there someway to loop these requests back?


here's my config if it helps, thanks again:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

no logging on

enable password 010101

!

no aaa new-model

clock timezone PCTime 0

clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00

!

!

!

!

!

dot11 ssid test test test

authentication open

guest-mode

!

no ip source-route

ip dhcp excluded-address 192.168.0.1 192.168.0.3

ip dhcp excluded-address 192.168.0.99 192.168.0.101

!

ip dhcp pool mypool

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

dns-server 8.8.8.8 8.8.4.4

!

!

ip cef

no ip bootp server

!

!

!

archive

log config

hidekeys

!

!

!

bridge irb

!

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

no snmp trap link-status

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bridge-group 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no shut

!

ssid test test test

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

bridge-group 1

!

interface Dialer0

ip address negotiated

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname xxxxxx

ppp chap password 0 xxxxxx

ppp pap sent-username xxxxx.net password 0 xxxxx

!

interface Dialer1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface BVI1

description $ES_LAN$

ip address 192.168.0.2 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

no ip http secure-server

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static tcp 192.168.0.100 25 80.159.38.225 25 extendable

ip nat inside source static tcp 192.168.0.100 81 80.259.38.225 81 extendable

ip nat inside source static tcp 192.168.0.100 1352 80.259.38.225 1352 extendable

ip nat inside source static tcp 192.168.0.100 8889 80.259.38.225 8889 extendable

ip nat inside source static tcp 192.168.0.101 10996 80.259.38.225 10996 extendable

ip nat inside source static tcp 192.168.0.100 25017 80.259.38.225 25017 extendable

ip nat inside source static tcp 192.168.0.99 58000 80.259.38.225 58000 extendable

!

access-list 1 permit 192.168.0.0 0.0.0.255

dialer-list 2 protocol ip permit

no cdp run

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

exec-timeout 0 0

no modem enable

speed 115200

line aux 0

line vty 0 4

password 010101

login

!

scheduler max-task-time 5000

end

Correct Answer
kathpric Thu, 08/12/2010 - 16:32

You could try using NAT virtual interface (NVI).  Instead of having the concept of inside and outside, you only enable NAT on the interface.

Interface BVI1

  ip nat enable

interface Dialer0

  ip nat enable

ip nat source static tcp 192.168.0.100 25 80.159.38.225 25

Notice you remove "inside" from "ip nat inside source..."

GovanJ221 Thu, 08/12/2010 - 17:43

Thanks very much,. That seems to resolve the issue. Been pulling my hair out.

Thanks again all

Jernej Vodopivec Thu, 08/12/2010 - 17:35

Maybe you could try this solution: don't connect directly to IP address - connect to the hostname (FQDN). And make sure your (split-brain) DNS is configured correctly.

Actions

This Discussion