Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Public to Private NAT translation

Hello, this is probably an easy question but I'm stuck. (all IP address's are fake)

External Block: 70.10.20.0/24

Interal Block: 192.168.10.0/24

I have a server with 192.168.10.50 and everyone in the network, servers and desktops can access this server. On the router I give it a nat translation

ip nat inside source static 192.168.10.50 70.10.20.50 extendable

so the outside world can access it, and they can and all seams to work fine. However, if I am on the private range, I cannot access it using the public IP address. Now, this isn't a major problem, however I cannot solve it so it does expose a lack in my knowledge.

Here some other bits of info that might be useful

ip nat pool ionic-pool 85.159.85.2 85.159.85.2 netmask 255.255.255.128
ip nat inside source list 10 pool ionic-pool overload

access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.11.0 0.0.0.255
access-list 10 permit 192.168.12.0 0.0.0.255
access-list 10 permit 192.168.200.0 0.0.0.255

interface GigabitEthernet0/1.5
description Public Range

encapsulation dot1Q 70
ip address 70.10.20.2 255.255.255.0
ip access-group 101 out
ip nat outside
no ip mroute-cache
standby ip 70.10.20.1
standby priority 120
standby preempt

interface GigabitEthernet0/3.2
description Private Range

encapsulation dot1Q 10 native
ip address 192.168.10.2 255.255.255.0
ip access-group OfficeWebTraffic in
ip nat inside
standby 1 ip 192.168.10.1
standby 1 priority 110
standby 1 preempt
!

Thanks

Everyone's tags (6)
2 REPLIES
Cisco Employee

Re: Public to Private NAT translation

Hi,

You are actually not supposed to contact your internal server from your internal network by its public IP address. Watch the sequence of steps that happens:

  1. You send a packet to the public IP of your server, sourced from your own internal network.
  2. By virtue of classic IP routing, this packet's destination is outside your network, so it will be sent out through the NAT box
  3. The NAT box notes that this packet is coming from inside to outside, so it rewrites its source IP address, not its destination, and sends it to internet, instead of rerouting it back to your own network

Note that even if the NAT box actually rerouted the packet back, it would create an unnecessary extra hop for all packets between you and the server because the communication would have to go through the NAT box instead of flowing directly.

Best regards,

Peter

Community Member

Re: Public to Private NAT translation

Thank you for your reply, I had a feeling this was what the end answer would be. So essentially, everyone internall uses the internal IP (or even a name pointing to that) and everyone externall uses the external (or DNS entry) and internal will never use external. That's good enough for me, just though I was missing something completly

Thanks for your time

1990
Views
0
Helpful
2
Replies
CreatePlease to create content