Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4334
Views
0
Helpful
3
Replies

Loopback, inside-inside NAT, NAT on Stick configurations for server access with Public IP

firestormnet
Level 1
Level 1

‎01-17-2012 02:15 AM - edited ‎03-07-2019 04:23 AM

Hi All.

I've come up with this problem and I'm not sure how to configure that properly. So I'll be a very appretiate to get help from experts. I was reading a Cisco's manual about NAT on Stick configuration, inside-inside NAT and many discussions, but still not sure how to implement that in my case.

Below you can find an attached file with nework diagram.

The problem is that users in office have iPhones, so they connect to office LAN by WIi-Fi to connect to Exchange Server (192.168.100.200) to get their e-mails, but they can't because iPhone Exchange connection is configured with Public IP (218.55.66.77). They can connect to Exchange if they use outside internet connection or 3G data connection on iPhones, but not local connection. The PCs and Laptops (using Wi-Fi connection) can connect to Exchange internally without problems. Before that they had a Netgear router which was configured with a Loopback for that.

The existing network is fully operational so I can't really play around as people work there, so I need to be sure when I add my Loopback configuration there will be no distruption.

The existing router configuration:

887#sh ip int brie

Interface                  IP-Address                OK? Method Status                          Protocol

ATM0                       unassigned                YES NVRAM  up                                   up

Cellular0                  unassigned                YES NVRAM  standby mode          down

Dialer0                    unassigned                YES NVRAM  up                                   up

Dialer1                    218.55.66.77             YES IPCP   up                                        up

Dialer2                    unassigned                YES IPCP   up                                        up

FastEthernet0              unassigned           YES unset  up                                   down

FastEthernet1              unassigned           YES unset  up                                   down

FastEthernet2              unassigned           YES unset  up                                   down

FastEthernet3              unassigned           YES unset  up                                   down

NVI0                                 unassigned           YES unset  administratively down down

Virtual-Access1            unassigned             YES unset  up                                   up

Vlan1                      192.168.100.1                    YES NVRAM                                          up

887#sh run

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

description Trunk to Switch

switchport mode trunk

!

interface Vlan1

description **LAN**$FW_INSIDE$

ip address 192.168.100.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip local policy route-map track-primary-if

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

!

ip nat inside source route-map nat2cell interface Dialer2 overload

ip nat inside source route-map nat2dsl interface Dialer1 overload

ip nat inside source static tcp 192.168.100.200 25 218.55.66.77 25 extendable

ip nat inside source static tcp 192.168.100.200 443 218.55.66.77 443 extendable

!

ip route 0.0.0.0 0.0.0.0 Dialer1 track 1

ip route 0.0.0.0 0.0.0.0 Dialer2 100

!

ip access-list extended no-nat

remark *** Internet NAT Service ***

permit ip 192.168.100.0 0.0.0.255 any

!

!

route-map track-primary-if permit 10

match ip address 103

set interface Dialer0 Dialer1

!

route-map nat2dsl permit 10

match ip address no-nat

match interface Dialer1

!

route-map nat2cell permit 10

match ip address no-nat

match interface Dialer2

!

route-map static-no-nat permit 20

match ip address static-no-nat

!

If I add that Loopback configuration, will it work? Or Do I need to re-configure VLAN, Fa0/3, NVI interfaces?

int Loopback0

     ip address 10.1.1.1 255.255.255.0

     ip nat outside

     ip virtual-reassembly

int VLAN1

     ip address 218.55.66.77 255.255.255.0 secondary

     ip address 192.168.100.1 255.255.255.0

     ip nat inside

ip policy route-map NAT-loop

ip nat pool external 218.55.66.77 218.55.66.77 netmask 255.255.255.0

ip nat inside source list 10 pool external overload

ip nat inside source static 218.55.66.77 192.168.100.200

access-list 10 permit 10.1.1.0 0.0.0.255

access-list 102 permit ip 192.168.100.0 0.0.0.255 any

access-list 102 permit ip 10.1.1.0 0.0.0.255 any

root-map NAT-loop permit 10

     match ip address 102

     set interface Loopback0

I saw that many NAT on stick configuration use an Ethernet interface, but I have VLAN interface. I'm not sure if I need to re-configure that to Fa or NVI interface and how?

Any help will be highly appretiated.

Regards

P.S. Firstly, I've tried NVI0 interface config with replacing ip nat (inside-outside) to ip nat enable, but it didn't work, as NVI0 is shutdown and I can't make it up.

Second attempt is configure subinterfaces on Fa3 port, but it didn't allow to do that.

Thirdly, If I configure Loopback0 interface, I can't use some commands like #ip policy route-map NAT; #int vlan1 - for second ip address.

Labels:
Preview file
118 KB
0 Helpful
3 Replies 3

Glenn Matthys
Level 1
Level 1

‎01-27-2012 06:18 AM

Although you could "fix" it using NAT, the correct way to configure Exchange is to allow it to be accessible via the internal network. Exchange has provisions to do that. Configuring Exchange in that manner is beyond this forum though.

0 Helpful

Neeraj Arora
Level 3
Level 3

‎01-27-2012 07:49 AM

As per me the scenario of accessing the Exchange server using the public ip when sitting on the inside LAN is not possible with Cisco routers.

This can work if you can configure one-to-one Static NAT mapping for the exchange server private ip because then DNS doctoring will happen for the DNS response and the iPhones will actually receive the private ip address of Exchange server. And for this you need to have another ip address than your outside interface physical ip. It would look something like this:

ip nat inside source static 192.168.100.200  218.55.66.78

But other than that, NAT on a stick does not work well always and is not officially supported by Cisco as well. Have seen many Cisco TAC cases for this and everytime its the same answer.

Another point I would like to make here is: using loopback interface and by manipulating the traffic you might be able to reach till the Exchange server BUT the problem will ALWAYS come for the return traffic. I have tried to find a workaround for this many times and could not control the return traffic by any way. And yes some third party devices like Netgear routers will be able to accomplish this with much ease.

P.S: FYI Cisco ASA firewall can make it happen using Hairpinning technique but not routers

Check the following documents for more information:

http://blog.instruosolutions.com/2012/01/07/dns-doctoring-technique-on-cisco-routers/

https://supportforums.cisco.com/message/3542292#3542292

Hope it helps

Neeraj

0 Helpful

firestormnet
Level 1
Level 1
In response to Neeraj Arora

‎01-30-2012 03:48 AM

Hi Guys.

Thank you for your replies.

I'll try all your suggestions when I go on a site next time.

Glenn: I can't use DNS doctoring or internal/external DNS on the Server as they have SBS Server which is not allowing to put his own IP address for DNS forwarding. This is what I get from their IT guy:

"Was only able to add the router (192.168.100.1) as a dns to the forwarders on the SBS DNS, would not allow me to add it's own IP address.

I know that on the Sonicwall it dose not matter about DNS, I have to put in a loop-back rule to make this work.
OR in Zyxel I have to change the ruel from WAN to LAN.........to.........ALL to LAN "

Neeraj: So why is Netgear or Sonicwall can do this job with one click, and Cisco router cannot do that?

They have only one Public IP 218.55.66.77, so I can't use your rule.

Kristian: I'll try again your suggestion to use IP NAT ENABLE. But should  NVI0 be up? As I can't make it up.

Thanks a lot.

Regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card