Dynamic DNS resolving to internal router web site

Unanswered Question
Aug 29th, 2010
User Badges:

Hello all,


I am using Cisco 877W to connect my home network to the Internet.


Using dynamic DNS (DYNDNS.ORG) I have configured a web site on a Windows server to be redirected to port 443 on this server. Instead of this, what I get is the CP express website that shipped with the router. If I disable the internal router web site with the command:


no ip http secure-server


no web page is displayed using dyndns hostname.


Why is the Windows website not being displayed as I specified in the NAT configuration? I had no problem with this when I was using the router provided by my ISP.


Any help is appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Sun, 08/29/2010 - 17:34
User Badges:
  • Green, 3000 points or more

Hi,


If you do an nslookup DOMAIN_NAME for the web server it resolves to the public IP correct?


If you open a browser and go to that site or try https://public_IP then you get the router's HTTP page?


The router should redirect port 443 to the internal web server if your NAT configuration is correct.

Could you post the relevant configuration for NAT?


Federico.

amoge0123 Mon, 08/30/2010 - 16:37
User Badges:

Hi Federico,


Your analysis is correct.


Below is NAT and dyndns configuration:


access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 172.16.1.10
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 172.16.1.10
class-map type inspect match-all sdm-nat-https-3
match access-group 103
match protocol https
exit
class-map type inspect match-all sdm-nat-ftp-2
match access-group 104
match protocol ftp
exit
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-https-3
  no drop
  inspect
  exit
class type inspect sdm-nat-https-3
  no drop
  inspect
  exit
class type inspect sdm-nat-https-3
  no drop
  inspect
  exit
class type inspect sdm-nat-ftp-2
  no drop
  inspect
  exit
class type inspect sdm-nat-ftp-2
  no drop
  inspect
  exit
class type inspect sdm-nat-ftp-2
  no drop
  inspect
  exit
exit
interface Vlan1
ip nat inside
exit
ip nat inside source static tcp 172.16.1.10 443 interface Dialer0 443
ip nat inside source static tcp 172.16.1.10 21 interface Dialer0 21


ip ddns update method sdm_ddns1
no DDNS both
HTTP
  add &myip=http://xxxxxxx:[email protected]/nic/update?system=dyndns&hostname=&myip=>
  remove
&myip=http://xxxxxxx:[email protected]/nic/update?system=dyndns&hostname=&myip=>
  exit
exit

Federico Coto F... Mon, 08/30/2010 - 20:58
User Badges:
  • Green, 3000 points or more

You have the ip nat inside command on VLAN 1 where 172.16.1.10 resides.
Do you have the ip nat outside command on Dialer0?


The reason I ask is because the request on port 443 is getting to the router but
seems to not be redirected internally.


If you do have the command do the following test:


ip access-list extended in-443
  permit tcp any host 172.16.1.10 eq 443
  permit ip any any


interface vlan 1
  ip access-group in-443 out


And check if the hitcounts on the ACL in-443 increment everytime you open a browser
and try to get to the public IP on port 443.


sh access-list in-443


If you see hitcounts incrementing, the router is indeed redirecting the packets to the
internal server.
We will need to check if they're coming back.


Federico.

amoge0123 Sun, 10/03/2010 - 12:45
User Badges:

Well, it turns out the router was correctly resolving the dynamic DNS mapping after all. Last Friday while at work and quite by chance I entered the web URL into the browser and it returned the website running on the internal server in my home network!


The problem therefore was that the router resolved to the correct address when the web page was requested outside the network but resolved the same URL to the router's internal website when requested from inside the network. The router is in effect doing what it has been configured to do.


What I would like to know is how to get the router to also resolve to the dynamically mapped address when the website request is from internal.


With what configuration could this be achieved? Of course if you are on the server locally and you typed https://172.16.1.10:443, the website also loadts correctly.


Thanks

Actions

This Discussion