Re: NAT/PAT using outside-ip on inside net

stephanhd · ‎11-13-2006

Hi Experts,

I am running a simple local net > (831) > (cable) ISP

DHCP(client), DDNS, NAT inside, FW and ACL (for the current needs) and NTP runs smoothly.

Config:

831 et0: 192.168.1.1/24

et1: dhcp-ip (from ISP)

But there is one ugly problem I am struggeling with:

In my private network there are several Web- and other servers

that are accessible from outside w/o any problem.

When I try to access one of the internal devices (example: Webserver on 192.168.1.77:1080)

from an internal client (192.168.1.214) using the webservers nat/patted outside adress

(http://dhcp-ip:1080) this request will run into nirvana.

http://dhcp-ip:1080 from an outside client will be nat/patted to the correct internal

server.

I have performed some experiments with "ip nat outside", "route-map" and "NVI" but I am lost a little bit.

Target:

Request from local client to http://DHCP-ip:1080 should

route to 192.168.1.77:1080

..this is basically the same functionality compared to

calling http://DHCP-ip:1080 from an outside client.

Please enlight me :)

*********************************************************

config as attachment

*****************************

I have tried already the following

*************************

interface Ethernet0

ip policy route-map NBG01_1080

!

access-list 150 deny tcp host 192.168.1.77 eq 1080 any eq 1080 log-input

access-list 151 permit tcp host 85.216.75.167 eq 1080 any eq 1080 log-input

!

route-map NBG01_1080 permit 10

match ip address 150

set ip next-hop 192.168.1.77

!

route-map NBG01_1080 permit 20

set interface Ethernet1

!

*************************

which should(!) deny every tcp packet port 1080 on et0 accept from 192.168.1.77 (acl 150) and

route-map this to 192.168.1.77

This does not work (acl 150 shows correct denies in the log (while

accessing "http://DHCP-ip:1080" from an inside client); but the "next-hop"

seems not to work.

Anyway this is a suboptimal solution because it triggers on port 1080 to

every target from internal which might cause problems in the future.

In addition I tried "ip nat pool.." but I have a litte lack of insight here ;))

Addn: no, changing DNS entries on the local clients will not help, because ther e are several ports PATed.

Best regards, Stephan

cdusio · ‎11-13-2006

If you did have an internal DNS server, you would then be able to call that server DHCP-IP by name and on the inside it would resolve correctly right? Can you connect to 192.168.1.77:1080? If so then that should solve the problem.

stephanhd · ‎11-13-2006

Hi cdusio.

yes, I do have an internal DNS, but I have many internal systems as well.

So having in my DNS

192.168.1.77 DHCP-IP-HOSTNAME

will solve this problem for this box

(because 192.168.1.77:1080 is then the same as

DHCP-IP-HOSTNAME:1080) but not solve the problem for other webservers/servers 192.168.1.xxx:yyyy.

This all should as transparent as from outside....

thnx, Stephan

stephanhd · ‎11-13-2006

updated: config.text

cventicinque · ‎11-26-2006

I have a question about your config, if you would be so kind as to help me. I have an 831 that I am trying to get up and running on my small lan that is similar to yours. one the wan side i have a cable modem, attached to e1. On the other side I have a 2900 switch that I am trying to attach to e0, the problem is that, I dont know where to plug my switch into. I see that you are successfully using e0 based on this section of your config:

interface Ethernet0

description $FW_INSIDE$$ETH-LAN$

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

E1 is easily marked on this router but, the E0 side seems to be a 4 port switch. I can assign E1 an interface yet, when I plug my switch into this router, I do not get a link.

Can you please tell me what I am doing wrong?

Thank You!