Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Using inbound NAT from the Inside network

I have a strange problem I hope someone might just know the answer to, before I start with TAC. I have an inbound static NAT for a web server on the inside network of a corporate office. It's a test server for a small internet startup. The outside access to the server works fine with the following:

access-list acl_outside permit tcp any host <PUBLIC IP B> eq 8080

static (inside,outside) tcp <PUBLIC IP B> 8080 <INTERNAL HOST> 8080 netmask

access-group acl_outside in interface outside

There is also a dynamic PAT for all outbound traffic on PUBLIC IP A, which is also the outside interface address.

So, browsing to http: // PUBLIC IP:8080 works from the outside just fine, but users on the inside network get nothing when trying to browse http: // PUBLIC IP:8080

I did a capture on both the inside and outside interfaces. You can see the S packet go through from the client IP (on the inside network), but nothing ever shows up on the outside interface, nor are there ever any acks. Additionally, there is no traffic to the INTERNAL HOST. This tells me that the client IP is never NAT'd, nor is there a sync issue (the INTERNAL HOST never sees to the request to send an ack to the client's real ip). Where is this traffic lost? Is it an ACL issue? I've tried to add an ACL to the internal interface, but it doesn't seem to matter. Anyone got any ideas?

Thanks much.

-Robby Morris

New Member

Re: Using inbound NAT from the Inside network

I believe I found the issue. Cisco does not allow, by default, for traffic to traverse the same security interface.

Using same-security-traffic permit intra-interface command allows IPSec traffic (eg RA VPN users) to flow across the same interface, and according to this webpage, clear text is allowed in 7.2:

"Software release 7.2 includes the capability to route clear text data in and out of the same interface".