Access to WEB server on outside address from LAN

Unanswered Question
Jan 23rd, 2012

Hello,

looking for help on a NAT problem.

I have a 1841 deployed as my NAT device towards internet. NAT is setup so that internal addresses can access WWW. I also have some NAT translations opening speciic ports from outside to inside in the form: ip nat inside source static tcp A.B.C.D 443 A.B.C.D 443 extendable.

Now have an outside address/port setup with a public DNS reference and using NAT from outside to get access to the corresponding inside address. It works when being outside the LAN.

Now to the problem: From the LAN side of the router - i cannot access the public name. I can ping it - but my browser dont find the webserver behind the name. Someone told me it should be setup as "local firewall domain" - and i should set this up as "source NAT".

Any good suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Neeraj Arora Mon, 01/23/2012 - 00:54

Hi ,

When sitting on the inside LAN segment, you cannot access the internal server using its Public NATted ip. This is a NAT limitation with routers.

You will have to use the private ip to access that server.

Ping to that Public Ip from inside host might work because Router  will respond back for that ping, not the actual server. And if we use  “no-alias” keyword at the end of the static NAT statement, then even  this ping would stop working. And again, this is an expected behaviour  of router.

Possible workarounds to accomplish the above requirement i.e access  the internal server from the same LAN (pre-requisite for this is, use of  FQDN to access the server. By using the public ip, there is no way we  can accomplish this):

1. Use one to one static NAT translation for the private ip of the server which will enable DNS doctoring.

2. Use an internal DNS server with the mapping of this website to the private ip

3. Change the host file on the PC’s trying to access this server from  inside (which generally is not a feasible solution as there could be  many hosts in LAN)

Check the following Blog document for a better understanding of DNS Doctoring (also the above answer of mine is taken from this site ):

http://blog.instruosolutions.com/2012/01/07/dns-doctoring-technique-on-cisco-routers/

P.S: DNS doctoring only works with one to one Static NAT statement, you have currently deployed only Port translation, so if you decide to use this DNS doctoring feature, you would have to map this Public ip to a single private ip address

Hope it helps

Neeraj

asgerhartmann Mon, 01/23/2012 - 23:28

Hi Neeraj,

so what you are saying - i encounter this obstruction because i use a router and not an ASA box of some kind?

Asger

Neeraj Arora Mon, 01/23/2012 - 23:54

Asger, you'll not like this answer: Yes, CISCO Routers has this limitation. I cannot say that I have personally implemented another Vendor but I've heard from many customers that other Vendor devices (specifcally routers and that too cheaper make) does support this feature of Accessing a website from LAN using its Public ip.

And Yes, if you were using a Cisco ASA  firewall as an edge device facing internet, then this would have been possible through a workaround of Hairpinning feature. Please read the section "Alternative Solution: Hairpinning" in the below ASA document:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

ebarticel Mon, 01/23/2012 - 05:08

Hi,

Do you have any ACLs configured? Do yo have a static mapping from inside LAN IP to default gateway?

Hope it will help

Eugen

asgerhartmann Mon, 01/23/2012 - 23:32

Hi Eugen,

i have ACL's configured to allow the inside users to get to the WWW. An this works. And the NAT entry from outside to inside is working when being on any network except the LAN. This is the challenge to beat.

Regards

Asger

kristianbrun Tue, 01/24/2012 - 13:01

Hi,

There is a solution to this problem. However, since you didnt post any sample config Im not entirely sure how you connect to internet etc etc.

In this example I have used a Dialer interface as outside and a SVI as inside interface. Adjust it to your needs.

ip nat source list NAT interface dialer1 overload

interface dialer 1

ip nat enable

interface vlan 10

ip nat enable

ip nat source static tcp [inside address] 443 [outside address] 443 extendable

ip nat source static tcp [inside address] 80 [outside address] 80 extendable

ip access-list standard NAT

permit [inside address range]

Please let me know if this worked. I have used this alot on corporate customers etc, and it works great.

Beware tho: When you enable "ip nat enable" you cant verify the NAT with for example "ping 8.8.8.8 source vlan 10", but regardless; Everything should work for the clients.

Regards,

Kristian Brown

asgerhartmann Tue, 01/24/2012 - 23:38

Hi Kristian,

name sounds Danish :-). Here follows my sample config from the 1841:

ip cef
!
interface FastEthernet0/0
description $ETH-WAN$
ip address [ip address]
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description $ETH-LAN$
ip address [ip address]
ip nat inside
ip virtual-reassembly
speed auto
full-duplex


ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp [ip address] 42333 [ip address] 42333 extendable
ip nat inside source static udp [ip address] 42333 [ip address] 42333 extendable
!
access-list 1 permit [all lan ip]


Its really quite simple. NAT is working well from outside to inside for all LAN IP. From outside to inside all works ok as long as not being on the LAN and asking for the outside NATed address (or its domain).

Would you have a suggestion to make the workaround you specified?

kristianbrun Wed, 01/25/2012 - 02:20

Hi!

Almost Danish (Norwegian)

Try this configuration:

ip cef

!

interface FastEthernet0/0

description $ETH-WAN$

ip address [ip address]

ip nat enable

ip virtual-reassembly

speed auto

full-duplex

crypto map SDM_CMAP_1

!

interface FastEthernet0/1

description $ETH-LAN$

ip address [ip address]

ip nat enable

ip virtual-reassembly

speed auto

full-duplex

ip nat source list 1 interface FastEthernet0/0 overload

ip nat source static tcp [ip address] 42333 [ip address] 42333 extendable

ip nat source static udp [ip address] 42333 [ip address] 42333 extendable

!

access-list 1 permit [all lan ip]

asgerhartmann Wed, 01/25/2012 - 04:24

Hi Kristian,

adding the "IP NAT enable" on both interfaces didnt make no difference.

Asger

kristianbrun Wed, 01/25/2012 - 09:44

Hi Asger,

Did you only enable ip nat enable on the interfaces?

Remember, you need to change to the following also:

ip nat source list 1 interface FastEthernet0/0 overload

ip nat source static tcp [ip address] 42333 [ip address] 42333 extendable

ip nat source static udp [ip address] 42333 [ip address] 42333 extendable

The inside keyword should be removed from the 3 NAT config-lines above. (You had ip nat inside in your config there also)

Regards,

Kristian Brown

asgerhartmann Mon, 02/13/2012 - 23:53

Hi Kristian,

had a chance to implement this setup. And i did not get far enough to actually test the hairpin.

I encountered trouble with a previously working Microsoft based VPN dial in setup. This is working with the NAT inside/outside settings - but is not working when having IP NAT enable. SMTP mail, WEBmail is working - but not VPN.

Also - having NAT enable - the "sho ip nat trans" table is empty!. In NAT inside/outside i have a table with 100+ lines. Why so?

Any ideas?

Asger

ebarticel Tue, 01/24/2012 - 21:43

Hi Asger,

Do you have a DNS inside your LAN that hosts are using, or are they using the same public DNS that you access when connecting from outside?

It could be a DNS problem. You may have to add a entry to your private DNS, or if using public one than maybe ACLs blocks DNS query.

HTH

Eugen

Actions

Login or Register to take actions

This Discussion

Posted January 23, 2012 at 12:33 AM
Stats:
Replies:12 Avg. Rating:
Views:2266 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 14,997
2 8,150
3 7,720
4 7,078
5 6,710
Rank Username Points
195
80
59
57
57