×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

NAT between 2 internal networks and from outside/inside

Answered Question
Feb 7th, 2012
User Badges:

Hi all,


this is really a newbie question!! i have a mail server inside my network pointed lets say by mail.mydomain.com -> X.Y.W.Z (my external ip address) on interface GigabitEthernet0:


interface GigabitEthernet0/0

description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-WAN$$FW_OUTSIDE$

ip address X.Y.W.Z 255.255.255.248 secondary

ip broadcast-address X.Y.W.Z

ip flow ingress

ip nat outside

ip ips sdm_ips_rule_ips_traffic in

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

!

service-policy output CCP-QoS-Policy-1

!


then i have some sub interface for the local network, in particular this one is for my DMZ


interface GigabitEthernet0/1.1

description DMZ$FW_DMZ$

encapsulation dot1Q 4

ip address 10.0.104.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security dmz-zone

!


my internal office zone:


interface GigabitEthernet0/1.2

description MZ (private zone)$FW_INSIDE$

encapsulation dot1Q 2

ip address 10.0.102.10 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!


then i have the following NAT rules for smtp, imaps and pop3s:


ip nat inside source static tcp 10.0.104.12 25 X.Y.W.Z 25 extendable

ip nat inside source static tcp 10.0.104.12 993 X.Y.W.Z 993 extendable

ip nat inside source static tcp 10.0.104.12 995 X.Y.W.Z 995 extendable


this WORKS very well for the traffic from internet to my DMZ, the issue is that if i want my local clients to use the same domain (mail.mydomain.com) from inside and outside the office (think of laptops that are working from both zones) this doesnt works because the internal users are trying to get to X.Y.W.Z on port 25 for example and the nat it seems not applied.


So initially i had the same domain (mail.mydomain.com) with 2 entries: from outside on X.Y.W.Z and from inside (with a local DNS) to the mail server in the DMZ 10.0.104.12; but in this scenario the mobile devices dont refresh their DNS promtly to make the service work.


I would need to nat the traffic from 10.0.102.0/24 with destination X.Y.W.Z (ports 25,993,995) to 10.0.104.12,

I understand that the rules above are traslating only from inside to outside and viceversa but not from 10.0.102.0 to 10.0.104.0, any ideas?


Wiht this configuration the router is responding to port 25, 993 and 995 instead of 10.0.104.12. This is some basic troubleshooting:


bash-3.2# traceroute -p 25 mail.mydomain.com

traceroute to mail.mydomain.com (X.Y.W.Z), 64 hops max, 52 byte packets

1  10.0.102.10 (10.0.102.10)  1.716 ms *  1.494 ms

bash-3.2# telnet X.Y.W.Z

Trying X.Y.W.Z...

telnet: connect to address X.Y.W.Z: Connection refused

telnet: Unable to connect to remote host

bash-3.2#


there is a zone firewall but the comands above are very responsive, and i can connect directly to the mail server without issues (if i set mail.mydomain.com that points to 10.0.104.12 in my local dns).


Thanks!!


THe post has been modified and additional information added

Correct Answer by ebarticel about 5 years 6 months ago

If users inside gets their setting from DHCP, it will get the DNS setting as well from your internal server, if I understand correctly. Why not use an extended access list as the source for a nat (pat) mapping to your DMZ interface?


Hope this helps


Eugen

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Koblensky Tue, 02/07/2012 - 15:55
User Badges:

i've tried to vpn to the router and it works just fine:


the ip received is of the same network i'm having issues:


utun0: flags=8051 mtu 1280

inet 10.0.102.199 --> 10.0.102.199 netmask 0xffffff00


and this is the interface of the vpn tunnel:


interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0

ip nat inside

ip ips sdm_ips_rule_ips_traffic in

ip virtual-reassembly

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

!


i've checked that the firewall on the vpn (ezvpn-zone to in-zone) had the same policies of the IN zone to DMZ zone, a part that it seems the same configuration, the only thing is that the traffic is going from internet to the GigabitEthernet0/0 (that is defined as "ip nat outside"), any ideas on how i can resolve this?

Correct Answer
ebarticel Wed, 02/08/2012 - 01:02
User Badges:
  • Bronze, 100 points or more

If users inside gets their setting from DHCP, it will get the DNS setting as well from your internal server, if I understand correctly. Why not use an extended access list as the source for a nat (pat) mapping to your DMZ interface?


Hope this helps


Eugen

Koblensky Wed, 02/08/2012 - 11:57
User Badges:

yap ... my mistake: on the laptop the DNS was statically assigned, thats why it was not been updated by local dns!

thanks ... it works well with the original dns settings

ebarticel Wed, 02/08/2012 - 12:38
User Badges:
  • Bronze, 100 points or more

Good to hear it works.

Please mark it if the question has been answered


Regards

Eugen

Actions

This Discussion