I have a 2811, with a DSL WIC.
Fa0/1 is setup as NAT inside (10.1.1.x)
Dialer0 is NAT outside (81.x.x.1 overload)
I also have a static NAT setting for one web server (10.1.1.200), which is mapped to one of my public IP address 81.x.x.10
The following works just fine :-
Inside PC's 10.1.1.x get NAT'ed outside to 81.x.x.1
Hosts on the internet can reach my Web Server 81.x.x.10
However, if I try to access 81.x.x.10 from inside my network, I get a TCP reply from 81.x.x.10 with RST,ACK bits set !!
I can however access the web interface on 81.x.x.1 which is the cisco router itsef, from INSIDE.
I have logged all access lists, but it does not seem to be an ACL problem.
Any idea what may be going wrong ?
I suspect this is because you are going in the wrong direction through your router. ie.
when a packet comes in to your router on the outside interface with a destination address of 81.x.x.10 it is natted to 10.1.1.200.
But you are not coming in on the outside interace so that NAT does not take place.
is there a reason why you need to do this ?. When you are on the internal lan can you not just contact the web servers on it's 10.1.1.200 address ?
In fact, NAT only works when packets pass through both "nat inside" and "nat outside" configured interfaces.
When you try to access 81.x.x.10 from inside your network, packets never pass through the outside interface and no address translation occurs.
Here is what is likely happening:
1. PC 10.1.1.100 sends SYN packet to 81.X.X.10.
2. Router default routes packet to ISP and NATs source 10.1.1.100 to 81.X.X.1.
3. ISP routes packet back and NAT translates 81.X.X.10 to 10.1.1.200.
4. 10.1.1.200 sends SYN ACK to 81.X.X.1. The NAT correctly translates 81.X.X.1 to 10.1.1.100, but fails to translate 10.1.1.200 to 81.X.X.10.
5. PC 10.1.1.100 receives SYN ACK, but from 10.1.1.200. Since the PC never sent a SYN to that address the response is a RST.
6. Server responds with a RST ACK.
You could confirm this with a debug ip nat.
Just using the private server address internally is the easy way out of this. You could also change your NAT pool address to a new public address other than the interface subnet, thereby routing packets in both directions through your ISP and meeting the requirement of traversing the inside and outside NAT interfaces.
Please rate helpful posts.
I think your explanation is spot on.
I did do a debug nat, and did see some
translations going on.
Are you suggesting that a way out (other than to use the internal address, which I am doing anyway), is to give a Public IP address like 82.x.x.10 ?
Unfortunately, my ISP wont give me more than 1 block of 16 IP addresses in 1 subnet.
What is the subnet mask on Dialer0?
Something like this would work:
Dialer0 81.X.X.1 255.255.255.252
Server NAT public 81.X.X.10
inside NAT Overload 81.X.X.11
By not using the interface address for your NAT overload the server responses would default route to the ISP and come back, allowing NAT to work normally.
The address for Dialer0 is
My range of 16 IP addr is 81.x.x.112/28
PC's get NAT'ed using Dialer0's IP. (114)
If I understand your reply correctly,
I'll change the Inside PCs to use nat address of 116,
and the webserver server to use 115, and see if that works.
Yes, that should work.
Does your default route point to the next hop address of .113, or Dialer0? If it uses Dialer0 you may need to change it the ISPs router address .113.
My default route is to Dialer0.
My router itself is 114, and I dont have anything on 113.
Are you saying I should do something like :-
isp.def.gw.xx 0.0.0.0 Dialer0
0.0.0.0 0.0.0.0 isp.def.gw.xx
Where isp.def.gw.xx is the IP address of
the ISP's default gateway ?
You can reconfigure your NAT and try it without changing the default route, but sometimes there is an issue with proxy ARP if your default route is like this:
ip route 0.0.0.0 0.0.0.0 dialer0
This is better:
ip route 0.0.0.0 0.0.0.0 81.X.X.113
Since the network address is .112 the first usable address is .113, which is almost surely the address of the interface on the ISP router since they assigned you .114. You could try pinging the .113, contact your ISP to be sure, or just change it afterhours and see if it works.
I tried various things, but still cant seem to get NAT to work both ways.
What I have not done yet, is to further subnet my assigned range of 16 IP addresses.
I am attaching an extract of my config, in the hope that maybe you can spot what is wrong.
I also did a Ethreal Trace, and when I make a request to the web server external IP, from an internal PC,
I see a return from the web servers Extrnal Address, to my internal address, with a TCP RST.
The config uses route-maps + ACLS for NAT, because I also have VPN clients, for which I dont want internal servers to be nat'ed.
All internal PC's are 10.1.1.x
ISP assigned address range is 81.x.x.112/28,
and I chose .14 as the IP address of the router, instead of .13, as earlier, I had an external ADSL Modem with IP address of 13.
The web server public addr is 81.x.x.115, which is staticly nat'ed to 10.1.10.10
Thanks for any help !!
Below is the output of a debug ip nat detail
I open a browser session from 10.1.1.216 to
81.x.x.115, which is the web server.
Jan 22 15:11:47.701: NAT: map match SDM_RMAP_1
Jan 22 15:11:47.701: NAT: Allocated Port for 10.1.1.216 -> 81.xx.xx.114: wanted 3296 got 3296
Jan 22 15:11:47.701: NAT: i: tcp (10.1.1.216, 3296) -> (81.xx.xx.115, 80) 
Jan 22 15:11:47.701: NAT: s=10.1.1.216->81.xx.xx.114, d=81.xx.xx.115 
Jan 22 15:11:47.701: NAT: o: tcp (81.xx.xx.115, 80) -> (81.xx.xx.114, 3296) 
Jan 22 15:11:47.701: NAT: s=81.xx.xx.115, d=81.xx.xx.114->10.1.1.216 
The config shows you are stilling using Dialer0 for your inside source dynamic NAT. You need to create a NAT pool with the new address and use that in the NAT statement.
You also need to change your default route to use the next router hop address. Since the DSL modem is using .113 you will need to determine what this address is. Perhaps .126, that would be the last usable address in the subnet. ISPs usually use the first or last. You may need to contact them.
Unfortunately, I tried all the suggestions above, and still cant seem to get it to work :-(
It seems that the root cause of the problem is that packets from inside are not traversing the "outside" interface, thus causing NAT to behave strangly.
I tried using route-maps, but that also did not help.
If I do manage to get this to work somehow, I'll post my config here :-)
The "easy" way to fix this can happen two ways:
You can bring up or change your internal (inside) DNS to point to the 10.1.1.200 ... and make sure your internal clients use the internal DNS as primary (the internal DNS can also serve addresses on the outside)
If you only have a couple PCs on the inside, you can add the web server's internal address to the "hosts" file (on WinXp it's located in C:\WINDOWS\SYSTEM32\DRIVERS\ETC)
Either way, systems on the outside can use either the outside address or external DNS name, and inside PCs, using the NAME of the webserver can access without jumping through hoops.
If the DNS names are the same (inside and outside DNS) then there'd be no change in operation ... the same "Favorites" or "Bookmarks" would work from inside or outside.