01-17-2012 02:15 AM - edited 03-07-2019 04:23 AM
Hi All.
I've come up with this problem and I'm not sure how to configure that properly. So I'll be a very appretiate to get help from experts. I was reading a Cisco's manual about NAT on Stick configuration, inside-inside NAT and many discussions, but still not sure how to implement that in my case.
Below you can find an attached file with nework diagram.
The problem is that users in office have iPhones, so they connect to office LAN by WIi-Fi to connect to Exchange Server (192.168.100.200) to get their e-mails, but they can't because iPhone Exchange connection is configured with Public IP (218.55.66.77). They can connect to Exchange if they use outside internet connection or 3G data connection on iPhones, but not local connection. The PCs and Laptops (using Wi-Fi connection) can connect to Exchange internally without problems. Before that they had a Netgear router which was configured with a Loopback for that.
The existing network is fully operational so I can't really play around as people work there, so I need to be sure when I add my Loopback configuration there will be no distruption.
The existing router configuration:
887#sh ip int brie
Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES NVRAM up up
Cellular0 unassigned YES NVRAM standby mode down
Dialer0 unassigned YES NVRAM up up
Dialer1 218.55.66.77 YES IPCP up up
Dialer2 unassigned YES IPCP up up
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
NVI0 unassigned YES unset administratively down down
Virtual-Access1 unassigned YES unset up up
Vlan1 192.168.100.1 YES NVRAM up
887#sh run
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
description Trunk to Switch
switchport mode trunk
!
interface Vlan1
description **LAN**$FW_INSIDE$
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local policy route-map track-primary-if
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source route-map nat2cell interface Dialer2 overload
ip nat inside source route-map nat2dsl interface Dialer1 overload
ip nat inside source static tcp 192.168.100.200 25 218.55.66.77 25 extendable
ip nat inside source static tcp 192.168.100.200 443 218.55.66.77 443 extendable
!
ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 Dialer2 100
!
ip access-list extended no-nat
remark *** Internet NAT Service ***
permit ip 192.168.100.0 0.0.0.255 any
!
!
route-map track-primary-if permit 10
match ip address 103
set interface Dialer0 Dialer1
!
route-map nat2dsl permit 10
match ip address no-nat
match interface Dialer1
!
route-map nat2cell permit 10
match ip address no-nat
match interface Dialer2
!
route-map static-no-nat permit 20
match ip address static-no-nat
!
If I add that Loopback configuration, will it work? Or Do I need to re-configure VLAN, Fa0/3, NVI interfaces?
int Loopback0
ip address 10.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
int VLAN1
ip address 218.55.66.77 255.255.255.0 secondary
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip policy route-map NAT-loop
ip nat pool external 218.55.66.77 218.55.66.77 netmask 255.255.255.0
ip nat inside source list 10 pool external overload
ip nat inside source static 218.55.66.77 192.168.100.200
access-list 10 permit 10.1.1.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
root-map NAT-loop permit 10
match ip address 102
set interface Loopback0
I saw that many NAT on stick configuration use an Ethernet interface, but I have VLAN interface. I'm not sure if I need to re-configure that to Fa or NVI interface and how?
Any help will be highly appretiated.
Regards
P.S. Firstly, I've tried NVI0 interface config with replacing ip nat (inside-outside) to ip nat enable, but it didn't work, as NVI0 is shutdown and I can't make it up.
Second attempt is configure subinterfaces on Fa3 port, but it didn't allow to do that.
Thirdly, If I configure Loopback0 interface, I can't use some commands like #ip policy route-map NAT; #int vlan1 - for second ip address.
01-27-2012 06:18 AM
Although you could "fix" it using NAT, the correct way to configure Exchange is to allow it to be accessible via the internal network. Exchange has provisions to do that. Configuring Exchange in that manner is beyond this forum though.
01-27-2012 07:49 AM
As per me the scenario of accessing the Exchange server using the public ip when sitting on the inside LAN is not possible with Cisco routers.
This can work if you can configure one-to-one Static NAT mapping for the exchange server private ip because then DNS doctoring will happen for the DNS response and the iPhones will actually receive the private ip address of Exchange server. And for this you need to have another ip address than your outside interface physical ip. It would look something like this:
ip nat inside source static 192.168.100.200 218.55.66.78
But other than that, NAT on a stick does not work well always and is not officially supported by Cisco as well. Have seen many Cisco TAC cases for this and everytime its the same answer.
Another point I would like to make here is: using loopback interface and by manipulating the traffic you might be able to reach till the Exchange server BUT the problem will ALWAYS come for the return traffic. I have tried to find a workaround for this many times and could not control the return traffic by any way. And yes some third party devices like Netgear routers will be able to accomplish this with much ease.
P.S: FYI Cisco ASA firewall can make it happen using Hairpinning technique but not routers
Check the following documents for more information:
http://blog.instruosolutions.com/2012/01/07/dns-doctoring-technique-on-cisco-routers/
https://supportforums.cisco.com/message/3542292#3542292
Hope it helps
Neeraj
01-30-2012 03:48 AM
Hi Guys.
Thank you for your replies.
I'll try all your suggestions when I go on a site next time.
Glenn: I can't use DNS doctoring or internal/external DNS on the Server as they have SBS Server which is not allowing to put his own IP address for DNS forwarding. This is what I get from their IT guy:
"Was only able to add the router (192.168.100.1) as a dns to the forwarders on the SBS DNS, would not allow me to add it's own IP address.
I know that on the Sonicwall it dose not matter about DNS, I have to put in a loop-back rule to make this work.
OR in Zyxel I have to change the ruel from WAN to LAN.........to.........ALL to LAN "
Neeraj: So why is Netgear or Sonicwall can do this job with one click, and Cisco router cannot do that?
They have only one Public IP 218.55.66.77, so I can't use your rule.
Kristian: I'll try again your suggestion to use IP NAT ENABLE. But should NVI0 be up? As I can't make it up.
Thanks a lot.
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: