Local (Internal) network access to external IP address
We recently purchased a Cisco 2911 router with an expansion card with 8 ports (VLan1) for our web server (have 6 servers in the cabinet).
We were able to configure the 2911 with the ability for VLan1 to access the internet through GigabitEthernet0/1 and the outside world to access our servers from GigabitEthernet0/1 -> Vlan1 (with all relevant port forwarding)
However, out internal servers cannot access themselves via the external IP address. Hitting the external IP address still showed the IOS web interface (which we've since disabled on port 80 thinking that might be a problem).
We need the internal servers to be able to reference themselves via the external IP address (or have NAT rules for the internal traffic on the external port?)
Any reference to the 2.x or 1.x networks can be ignored - it is our local office network and doesn't reflect the current location
Thanks in advance,
The following is our config.
Current configuration : 6053 bytes ! ! Last configuration change at 16:42:31 EDT Sat Jul 5 2014 by admin version 15.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service sequence-numbers ! hostname SMS-ROUTER ! boot-start-marker boot-end-marker ! ! logging buffered 51200 warnings enable secret 4 ---- ! no aaa new-model clock timezone EST -5 0 clock summer-time EDT recurring ! ip cef ! ! ! ! ! ! ip domain name smsgateway.ca ip name-server 184.108.40.206 ip name-server 220.127.116.11 no ipv6 cef multilink bundle-name authenticated ! ! ! crypto pki trustpoint TP-self-signed----- enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate----- revocation-check none rsakeypair TP-self-signed----- ! crypto pki trustpoint test_trustpoint_config_created_for_sdm subject-name firstname.lastname@example.org revocation-check crl ! ! crypto pki certificate chain TP-self-signed----- certificate self-signed 01
quit crypto pki certificate chain test_trustpoint_config_created_for_sdm license udi pid CISCO2911/K9 sn ---- ! ! username admin privilege 15 secret 4 ----- ! ! ! ! ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-WAN$ ip address 192.168.2.201 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet0/1 description $ETH-EXTERNAL$$ETH-WAN$ ip address w.x.y.z 255.255.255.248 ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/2 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0/1/0 description SMS-DATA$ETH-LAN$ no ip address ! interface GigabitEthernet0/1/1 description SMS-WEB$ETH-LAN$ no ip address ! interface GigabitEthernet0/1/2 no ip address ! interface GigabitEthernet0/1/3 no ip address ! interface GigabitEthernet0/1/4 no ip address ! interface GigabitEthernet0/1/5 no ip address ! interface GigabitEthernet0/1/6 no ip address ! interface GigabitEthernet0/1/7 no ip address ! interface Vlan1 ip address a.b.c.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! ip forward-protocol nd ! no ip http server ip http access-class 10 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip nat inside source list 2 interface GigabitEthernet0/1 overload ip nat inside source static tcp a.b.c.15 21 w.x.y.z 21 extendable ip nat inside source static tcp a.b.c.100 80 w.x.y.z 80 extendable ip nat inside source static tcp a.b.c.100 443 w.x.y.z 443 extendable ip nat inside source static tcp a.b.c.20 1433 w.x.y.z 1433 extendable ip nat inside source static tcp a.b.c.100 1433 w.x.y.z 1450 extendable ip nat inside source static tcp a.b.c.105 1433 w.x.y.z 1451 extendable ip nat inside source static tcp a.b.c.20 1433 w.x.y.z 1488 extendable ip nat inside source static tcp a.b.c.20 5001 w.x.y.z 5001 extendable ip nat inside source static tcp a.b.c.15 5003 w.x.y.z 5003 extendable ip nat inside source static tcp a.b.c.55 5011 w.x.y.z 5011 extendable ip nat inside source static tcp a.b.c.50 5014 w.x.y.z 5014 extendable ip nat inside source static tcp a.b.c.105 3389 w.x.y.z 5101 extendable ip nat inside source static tcp a.b.c.100 3389 w.x.y.z 5102 extendable ip nat inside source static tcp a.b.c.25 7777 w.x.y.z 7777 extendable ip nat inside source static tcp a.b.c.105 8081 w.x.y.z 8081 extendable ip nat inside source static tcp a.b.c.105 8087 w.x.y.z 8087 extendable ip nat inside source static tcp a.b.c.55 8088 w.x.y.z 8088 extendable ip route 0.0.0.0 0.0.0.0 w.x.y.g 10 ! access-list 1 remark CCP_ACL Category=2 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 2 remark CCP_ACL Category=2 access-list 2 permit 192.168.1.0 0.0.0.255 access-list 2 permit a.b.c.0 0.0.0.255 access-list 10 permit 192.168.2.113 access-list 10 permit 192.168.1.0 0.0.0.255 access-list 10 permit a.b.c.0 0.0.0.255 access-list 15 permit a.b.c.0 0.0.0.255 ! ! ! control-plane ! ! ! line con 0 login local line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 access-class 23 in privilege level 15 login local transport input telnet ssh line vty 5 15 access-class 23 in privilege level 15 login local transport input telnet ssh ! scheduler allocate 20000 1000 ntp update-calendar ntp server 1.pool.ntp.org ntp server 0.pool.ntp.org ! end
For your internal access from your internal server , you are suppose to use real address with service port number not mapped address ( NAT address) .
If you look at IP NAT translation on your router ,your inside local & inside Global and outside local & outside global
For any translation you for your internal server via PAT ip address with port number ,
inside global , outside local & outside Local will be same as your router public IP address /Wan IP address with difference in port number. All traffic will sourced and destined for same ip address so it wont work .
Is it that since I have NAT rules created, I cannot do this (as the source and destination are the same?)? or is my NAT incorrect and I should be using PAT rules to create inbound routes? or PAT rules that would allow me to do this?
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...