01-23-2012 12:33 AM - edited 03-07-2019 04:29 AM
Hello,
looking for help on a NAT problem.
I have a 1841 deployed as my NAT device towards internet. NAT is setup so that internal addresses can access WWW. I also have some NAT translations opening speciic ports from outside to inside in the form: ip nat inside source static tcp A.B.C.D 443 A.B.C.D 443 extendable.
Now have an outside address/port setup with a public DNS reference and using NAT from outside to get access to the corresponding inside address. It works when being outside the LAN.
Now to the problem: From the LAN side of the router - i cannot access the public name. I can ping it - but my browser dont find the webserver behind the name. Someone told me it should be setup as "local firewall domain" - and i should set this up as "source NAT".
Any good suggestions?
01-23-2012 12:54 AM
Hi ,
When sitting on the inside LAN segment, you cannot access the internal server using its Public NATted ip. This is a NAT limitation with routers.
You will have to use the private ip to access that server.
Ping to that Public Ip from inside host might work because Router will respond back for that ping, not the actual server. And if we use “no-alias” keyword at the end of the static NAT statement, then even this ping would stop working. And again, this is an expected behaviour of router.
Possible workarounds to accomplish the above requirement i.e access the internal server from the same LAN (pre-requisite for this is, use of FQDN to access the server. By using the public ip, there is no way we can accomplish this):
1. Use one to one static NAT translation for the private ip of the server which will enable DNS doctoring.
2. Use an internal DNS server with the mapping of this website to the private ip
3. Change the host file on the PC’s trying to access this server from inside (which generally is not a feasible solution as there could be many hosts in LAN)
Check the following Blog document for a better understanding of DNS Doctoring (also the above answer of mine is taken from this site ):
http://blog.instruosolutions.com/2012/01/07/dns-doctoring-technique-on-cisco-routers/
P.S: DNS doctoring only works with one to one Static NAT statement, you have currently deployed only Port translation, so if you decide to use this DNS doctoring feature, you would have to map this Public ip to a single private ip address
Hope it helps
Neeraj
01-23-2012 11:28 PM
Hi Neeraj,
so what you are saying - i encounter this obstruction because i use a router and not an ASA box of some kind?
Asger
01-23-2012 11:54 PM
Asger, you'll not like this answer: Yes, CISCO Routers has this limitation. I cannot say that I have personally implemented another Vendor but I've heard from many customers that other Vendor devices (specifcally routers and that too cheaper make) does support this feature of Accessing a website from LAN using its Public ip.
And Yes, if you were using a Cisco ASA firewall as an edge device facing internet, then this would have been possible through a workaround of Hairpinning feature. Please read the section "Alternative Solution: Hairpinning" in the below ASA document:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
01-23-2012 05:08 AM
Hi,
Do you have any ACLs configured? Do yo have a static mapping from inside LAN IP to default gateway?
Hope it will help
Eugen
01-23-2012 11:32 PM
Hi Eugen,
i have ACL's configured to allow the inside users to get to the WWW. An this works. And the NAT entry from outside to inside is working when being on any network except the LAN. This is the challenge to beat.
Regards
Asger
01-24-2012 01:01 PM
Hi,
There is a solution to this problem. However, since you didnt post any sample config Im not entirely sure how you connect to internet etc etc.
In this example I have used a Dialer interface as outside and a SVI as inside interface. Adjust it to your needs.
ip nat source list NAT interface dialer1 overload
interface dialer 1
ip nat enable
interface vlan 10
ip nat enable
ip nat source static tcp [inside address] 443 [outside address] 443 extendable
ip nat source static tcp [inside address] 80 [outside address] 80 extendable
ip access-list standard NAT
permit [inside address range]
Please let me know if this worked. I have used this alot on corporate customers etc, and it works great.
Beware tho: When you enable "ip nat enable" you cant verify the NAT with for example "ping 8.8.8.8 source vlan 10", but regardless; Everything should work for the clients.
Regards,
Kristian Brown
01-24-2012 11:38 PM
Hi Kristian,
name sounds Danish :-). Here follows my sample config from the 1841:
ip cef
!
interface FastEthernet0/0
description $ETH-WAN$
ip address [ip address]
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description $ETH-LAN$
ip address [ip address]
ip nat inside
ip virtual-reassembly
speed auto
full-duplex
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp [ip address] 42333 [ip address] 42333 extendable
ip nat inside source static udp [ip address] 42333 [ip address] 42333 extendable
!
access-list 1 permit [all lan ip]
Its really quite simple. NAT is working well from outside to inside for all LAN IP. From outside to inside all works ok as long as not being on the LAN and asking for the outside NATed address (or its domain).
Would you have a suggestion to make the workaround you specified?
01-25-2012 02:20 AM
Hi!
Almost Danish (Norwegian)
Try this configuration:
ip cef
!
interface FastEthernet0/0
description $ETH-WAN$
ip address [ip address]
ip nat enable
ip virtual-reassembly
speed auto
full-duplex
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description $ETH-LAN$
ip address [ip address]
ip nat enable
ip virtual-reassembly
speed auto
full-duplex
ip nat source list 1 interface FastEthernet0/0 overload
ip nat source static tcp [ip address] 42333 [ip address] 42333 extendable
ip nat source static udp [ip address] 42333 [ip address] 42333 extendable
!
access-list 1 permit [all lan ip]
01-25-2012 04:24 AM
Hi Kristian,
adding the "IP NAT enable" on both interfaces didnt make no difference.
Asger
01-25-2012 09:44 AM
Hi Asger,
Did you only enable ip nat enable on the interfaces?
Remember, you need to change to the following also:
ip nat source list 1 interface FastEthernet0/0 overload
ip nat source static tcp [ip address] 42333 [ip address] 42333 extendable
ip nat source static udp [ip address] 42333 [ip address] 42333 extendable
The inside keyword should be removed from the 3 NAT config-lines above. (You had ip nat inside in your config there also)
Regards,
Kristian Brown
02-13-2012 11:53 PM
Hi Kristian,
had a chance to implement this setup. And i did not get far enough to actually test the hairpin.
I encountered trouble with a previously working Microsoft based VPN dial in setup. This is working with the NAT inside/outside settings - but is not working when having IP NAT enable. SMTP mail, WEBmail is working - but not VPN.
Also - having NAT enable - the "sho ip nat trans" table is empty!. In NAT inside/outside i have a table with 100+ lines. Why so?
Any ideas?
Asger
01-24-2012 09:43 PM
Hi Asger,
Do you have a DNS inside your LAN that hosts are using, or are they using the same public DNS that you access when connecting from outside?
It could be a DNS problem. You may have to add a entry to your private DNS, or if using public one than maybe ACLs blocks DNS query.
HTH
Eugen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide