cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1867
Views
4
Helpful
2
Replies

When Web Server NAT 'd Access From Internal LAN

pdvcisco
Level 1
Level 1

Hello,

For a config on a 2821 router with IOS 15.1

I've setup an internal web server and am able to acccess it from outside our network but not from inside (on a separate internal LAN - 192.168.10.0).  When on the internal LAN - DNS points to the Public IP for the web server - so we'd need to route through the Public IP to access the web server. 

What is the best way to allow access to the web server XX.XX.XX.231 from 192.168.10.0 network?

Related Config Lines to Allow Access to Web Server

NAT

ip nat inside source static tcp 192.168.1.230 80 XX.XX.XX.231 80 extendable

ip nat inside source static tcp 192.168.1.230 443 XX.XX.XX.231 443 extendable

ACL

ip access-list extended WAN

permit tcp any host XX.XX.XX.231 eq 443

permit tcp any host XX.XX.XX.231 eq www

Thanks,

Dan Foxley

------------------

!

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec show-timezone

service password-encryption

service sequence-numbers

no service dhcp

!

!

dot11 syslog

no ip source-route

ip options drop

!

!

ip cef

!

!

!

no ip bootp server

no ip domain lookup

ip inspect log drop-pkt

ip inspect name PDVCorp tcp

ip inspect name PDVCorp udp

ip inspect name PDVCorp ftp

ip inspect name PDVCorp icmp

ip inspect name PDVCorp dns

!

!

!

!

license udi pid CISCO2821 sn FTX0938A43N

!

redundancy

!

!

ip tcp synwait-time 10

no ip ftp passive

ip ssh authentication-retries 2

ip ssh version 1

!

!

!

!

interface Null0

no ip unreachables

!

interface GigabitEthernet0/0

description LAN

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no ip route-cache cef

no ip route-cache

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface GigabitEthernet0/0.2

description PDVCorpNet$FW_INSIDE$$ETH-LAN$

encapsulation dot1Q 2

ip address 192.168.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

no ip route-cache

no cdp enable

!

interface GigabitEthernet0/0.4

description PDVCorpNet$ETH-LAN$$FW_INSIDE$

encapsulation dot1Q 4

ip address 192.168.1.100 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

no ip route-cache

no cdp enable

!

interface GigabitEthernet0/0.6

encapsulation dot1Q 6 native

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no ip route-cache

no cdp enable

!

interface GigabitEthernet0/0.12

encapsulation dot1Q 12

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no ip route-cache

no cdp enable

!

interface GigabitEthernet0/1

description WAN$ETH-WAN$$FW_OUTSIDE$

ip address XX.XX.XX.226 255.255.255.240

ip access-group WAN in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip inspect PDVCorp out

ip virtual-reassembly in

ip verify unicast reverse-path

no ip route-cache cef

no ip route-cache

duplex auto

speed auto

no cdp enable

no mop enabled

crypto map 3377_To_Sungard

!

no ip forward-protocol nd

ip http server

ip http access-class 1

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

!

ip flow-top-talkers

top 20

sort-by bytes

!

ip nat pool PDVCorp-Internet XX.XX.XX.227 XX.XX.XX.227 netmask 255.255.255.240

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload

ip nat inside source static tcp 192.168.10.85 25 XX.XX.XX.231 25 extendable

ip nat inside source static tcp 192.168.1.230 80 XX.XX.XX.231 80 extendable

ip nat inside source static tcp 192.168.1.230 443 XX.XX.XX.231 443 extendable

ip nat inside source static tcp 192.168.1.50 80 XX.XX.XX.232 80 extendable

ip nat inside source static tcp 192.168.1.50 443 XX.XX.XX.232 443 extendable

ip nat inside source static tcp 192.168.1.52 80 XX.XX.XX.233 80 extendable

ip nat inside source static tcp 192.168.1.52 443 XX.XX.XX.233 443 extendable

ip route 0.0.0.0 0.0.0.0 XX.XX.XX.225

ip route 192.168.100.0 255.255.255.0 192.168.10.2 permanent

!

!

ip access-list extended WAN

remark CCP_ACL Category=1

permit tcp any host XX.XX.XX.231 eq smtp

permit tcp any host XX.XX.XX.233 eq 443

permit tcp any host XX.XX.XX.233 eq www

permit tcp any host XX.XX.XX.232 eq 443

permit tcp any host XX.XX.XX.232 eq www

permit tcp any host XX.XX.XX.231 eq 443

permit tcp any host XX.XX.XX.231 eq www

permit icmp any any administratively-prohibited

remark Auto generated by CCP for NTP (123) 192.168.10.2

permit udp host 192.168.10.2 eq ntp host XX.XX.XX.226 eq ntp

permit ahp host VV.VV.50.84 host XX.XX.XX.226

permit esp host VV.VV.50.84 host XX.XX.XX.226

permit udp host VV.VV.50.84 host XX.XX.XX.226 eq isakmp

permit udp host VV.VV.50.84 host XX.XX.XX.226 eq non500-isakmp

permit ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip host 192.168.4.16 192.168.10.0 0.0.0.255

permit tcp object-group BW.COM host XX.XX.XX.226 range 5060 5061

permit udp object-group BW.COM host XX.XX.XX.226 range 5060 5061

permit udp any host XX.XX.XX.226 gt 1024

remark DNS

permit udp any eq domain any eq domain log

deny   ip any any log

!

logging esm config

logging 192.168.7.108

access-list 1 remark HTTP Access-class list

access-list 1 remark CCP_ACL Category=1

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 deny   any

access-list 100 remark CCP_ACL Category=2

access-list 100 deny   ip 192.168.10.0 0.0.0.255 host 192.168.4.16

access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 any log

access-list 101 remark CCP_ACL Category=2

access-list 101 deny   ip 192.168.10.0 0.0.0.255 host 192.168.4.16

access-list 101 deny   ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 138 remark PDVCA-To-Sungard

access-list 138 remark CCP_ACL Category=4

access-list 138 permit ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 138 permit ip 192.168.10.0 0.0.0.255 host 192.168.4.16

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 101

2 Replies 2

Edison Ortiz
Hall of Fame
Hall of Fame

In order for NAT to take place, the packet must flow from an 'ip nat inside' interface to an 'ip nat outside' interface.

In your case, the packet is flowing from an ip nat inside interface to another ip nat inside interface.

You can use a workaround by using a loopback interface and the process is explained on this URL

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml

Regards,

Edison

Edison,  Thanks for the reply.  After seeing this Note and under the KISS principle I decided to add DNS records to direct hosts to the web server via the LAN side vs. sending them out and back-in the public IP.  "The router must process switch every packet due to the loopback interface. This degrades the performance of the router."  Dan Foxley

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco