11-13-2006 02:42 AM - edited 03-05-2019 12:46 PM
Hi Experts,
I am running a simple local net > (831) > (cable) ISP
DHCP(client), DDNS, NAT inside, FW and ACL (for the current needs) and NTP runs smoothly.
Config:
831 et0: 192.168.1.1/24
et1: dhcp-ip (from ISP)
But there is one ugly problem I am struggeling with:
In my private network there are several Web- and other servers
that are accessible from outside w/o any problem.
When I try to access one of the internal devices (example: Webserver on 192.168.1.77:1080)
from an internal client (192.168.1.214) using the webservers nat/patted outside adress
(http://dhcp-ip:1080) this request will run into nirvana.
http://dhcp-ip:1080 from an outside client will be nat/patted to the correct internal
server.
I have performed some experiments with "ip nat outside", "route-map" and "NVI" but I am lost a little bit.
Target:
Request from local client to http://DHCP-ip:1080 should
route to 192.168.1.77:1080
..this is basically the same functionality compared to
calling http://DHCP-ip:1080 from an outside client.
Please enlight me :)
*********************************************************
config as attachment
*****************************
I have tried already the following
*************************
interface Ethernet0
<same as above>
ip policy route-map NBG01_1080
!
access-list 150 deny tcp host 192.168.1.77 eq 1080 any eq 1080 log-input
access-list 151 permit tcp host 85.216.75.167 eq 1080 any eq 1080 log-input
!
route-map NBG01_1080 permit 10
match ip address 150
set ip next-hop 192.168.1.77
!
route-map NBG01_1080 permit 20
set interface Ethernet1
!
*************************
which should(!) deny every tcp packet port 1080 on et0 accept from 192.168.1.77 (acl 150) and
route-map this to 192.168.1.77
This does not work (acl 150 shows correct denies in the log (while
accessing "http://DHCP-ip:1080" from an inside client); but the "next-hop"
seems not to work.
Anyway this is a suboptimal solution because it triggers on port 1080 to
every target from internal which might cause problems in the future.
In addition I tried "ip nat pool.." but I have a litte lack of insight here ;))
Addn: no, changing DNS entries on the local clients will not help, because ther e are several ports PATed.
Best regards, Stephan
11-13-2006 07:19 AM
If you did have an internal DNS server, you would then be able to call that server DHCP-IP by name and on the inside it would resolve correctly right? Can you connect to 192.168.1.77:1080? If so then that should solve the problem.
11-13-2006 07:26 AM
Hi cdusio.
yes, I do have an internal DNS, but I have many internal systems as well.
So having in my DNS
192.168.1.77 DHCP-IP-HOSTNAME
will solve this problem for this box
(because 192.168.1.77:1080 is then the same as
DHCP-IP-HOSTNAME:1080) but not solve the problem for other webservers/servers 192.168.1.xxx:yyyy.
This all should as transparent as from outside....
thnx, Stephan
11-13-2006 07:21 AM
11-26-2006 08:44 AM
I have a question about your config, if you would be so kind as to help me. I have an 831 that I am trying to get up and running on my small lan that is similar to yours. one the wan side i have a cable modem, attached to e1. On the other side I have a 2900 switch that I am trying to attach to e0, the problem is that, I dont know where to plug my switch into. I see that you are successfully using e0 based on this section of your config:
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
E1 is easily marked on this router but, the E0 side seems to be a 4 port switch. I can assign E1 an interface yet, when I plug my switch into this router, I do not get a link.
Can you please tell me what I am doing wrong?
Thank You!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: