01-17-2003 03:39 PM - edited 03-02-2019 04:18 AM
I have a NAT problem I am trying to resolve. Can somebody help me?
I have a 2651 router performig NAT/PAT with many interfaces on it.
FastEthernet0/1 is my outside (ip nat outside) interface.
Several inside LAN interfaces are natted (ip nat inside)
I have some routes to other inside routers in my natted network.
My inside natted network is 10.170.0.0/20 broken down into several /24s interfaces
Everything talks and works. My web server on an outside IP address talks to everybody just fine. When I renumber my webserver from an outise IP address to 10.170.1.5/24 and place it on my ethernet numbered 10.170.1.1/24, everybody outisde can still get to the web server just fine. All of the internal natted networks can see 10.170.1.5 just fine.
The big problem is none of my internal natted networks can talk to my web server using the outside IP. I have way to many people, programs and machines to reconfigure to use the new inside IP address of the web server.
What can I do to make my inside natted networks talk to the webserver (now natted & port forwarded) so the same URLs and outside IP address still work to my inside network?
I have never been able to make this work on any Cisco IOS. I have found no examples on the Cisco site and I have found no documentation stating this is supported or not supported.
Does somebody have an example config I can take a look at which has the following:
1 outside nat/pat (overflow) interface
Internal access list 1 something like 10.170.0.0 0.0.15.255
several internal interfaces (broken down to /24s)
routes to other internal routers on internal network (route /24 to something)
Two or more web servers available to the outside Internet which numbered in the natted lan and port forwards allow the outside Internet (and inside intranet) to access the web servers using the outside IP address of the web servers.
I sure hope this is something that can be done.
Thank you in advance
Tom Jones
If this works - below is my current config
assume I have a valid outside /30 set of Internet IPs routed to my router. I want to place a web server inside on 10.170.1.5 and have it available as http://out.sideip.170.146 such that the inside PC machines and outside PC machine can still reach my web server by using http://out.sideip.170.146 although it is really at 10.170.1.5
!
version 12.2
no service single-slot-reload-enable
service nagle
no service pad
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname xxx
!
logging buffered 4096 debugging
logging rate-limit 300
aaa new-model
aaa authentication login default local
enable secret xxx
enable password xxx
!
username xxx
username xxx
username xxx
username xxx
clock timezone PST 0
ip subnet-zero
no ip source-route
!
!
no ip finger
ip domain-name xxx
ip name-server out.side.160.10
ip name-server out.side.168.10
no ip dhcp conflict logging
!
no ip dhcp-client network-discovery
frame-relay switching
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
ip nat outside
no ip route-cache
no ip mroute-cache
!
interface Loopback1
no ip address
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description 802.1Q Tagged vlans (2651 router FastEthernet0/0 <--> 3550-48 switch FastEthernet0/3)
no ip address
no ip unreachables
no ip route-cache
no ip mroute-cache
speed 100
full-duplex
!
interface FastEthernet0/0.1
description Native vlan
encapsulation dot1Q 1 native
no ip route-cache
no ip mroute-cache
!
interface FastEthernet0/0.100
description out.side.x.x web server lan (out.side.170.113 255.255.255.240 is routed to this router)
encapsulation dot1Q 100
ip address out.side.170.113 255.255.255.240
no ip route-cache
no ip mroute-cache
!
interface FastEthernet0/0.102
description nternal network (was 10 meg card on router)
encapsulation dot1Q 102
ip address 10.170.0.1 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
!
interface FastEthernet0/0.103
description DMZ #1 - Where I am trying to put my natted web servers from another IP route to this router
encapsulation dot1Q 103
ip address 10.170.1.1 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
ip policy route-map back
!
interface Serial0/0
description GTE FrameRelay Interface
bandwidth 1500
no ip address
no ip unreachables
encapsulation frame-relay IETF
no ip route-cache
no ip mroute-cache
carrier-delay msec 0
fair-queue
!
interface Serial0/0.16 point-to-point
description (this 2651 router <---FrameRelay--> 1720 router) routed IPs 10.170.3/24 10.170.8/22
bandwidth 1500
ip address 10.170.4.5 255.255.255.252
no ip unreachables
ip nat inside
no ip route-cache
no ip mroute-cache
ip policy route-map server
carrier-delay msec 0
frame-relay interface-dlci 16 IETF
!
interface FastEthernet0/1
description Internet feed into this 2651 router FastEthernet0/1 <--> 3550-48 L3 FastEthernet0/15)
ip address out.side.170.138 255.255.255.252
no ip unreachables
ip nat outside
no ip route-cache
no ip mroute-cache
speed 100
full-duplex
!
interface Ethernet1/0
description Not Used - (2651 router Ethernet1/0 <--> 3550-48 switch FastEthernet0/2)
no ip address
no ip unreachables
shutdown
full-duplex
!
router ospf 10
log-adjacency-changes
redistribute connected subnets
redistribute static subnets
network 10.170.4.4 0.0.0.3 area 100
!
ip nat inside source list 1 interface FastEthernet0/1 overload
!
ip nat inside source static 10.170.1.5 out.side.170.146
! NOTE: I have a test web server sitting at 10.170.1.5 and it can be seen
! on the outside world as http://out.side.170.146
! My inside PCs can see http://10.170.1.5
! Problem - my inside PCs can not see http://out.side.170.146
!
ip nat inside source static tcp 10.170.3.40 5631 out.side.170.145 5631 extendable
ip nat inside source static udp 10.170.3.40 5632 out.side.170.145 5632 extendable
ip nat inside source static tcp 10.170.3.248 5631 out.side.170.144 5631 extendable
ip nat inside source static udp 10.170.3.248 5632 out.side.170.144 5632 extendable
ip nat inside source static tcp 10.170.3.140 1417 out.side.170.143 1417 extendable
ip nat inside source static udp 10.170.3.140 407 out.side.170.143 407 extendable
ip nat inside source static tcp 10.170.3.76 6502 out.side.170.141 6502 extendable
ip nat inside source static tcp 10.170.3.140 407 out.side.170.143 407 extendable
ip nat inside source static tcp 10.170.3.140 6502 out.side.170.143 6502 extendable
ip nat inside source static tcp 10.170.3.176 6502 out.side.170.142 6502 extendable
ip nat inside source static tcp 10.170.3.49 3389 out.side.170.140 3389 extendable
ip nat inside source static tcp 10.170.3.49 6502 out.side.170.140 6502 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 out.side.170.137
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
no ip http server
!
!
access-list 1 permit 10.170.0.0 0.0.0.255
access-list 1 permit 10.170.1.0 0.0.0.255
access-list 1 permit 10.170.2.0 0.0.0.255
access-list 1 permit 10.170.3.0 0.0.0.255
access-list 1 permit 10.170.4.0 0.0.0.255
access-list 1 permit 10.170.5.0 0.0.0.255
access-list 1 permit 10.170.6.0 0.0.0.255
access-list 1 permit 10.170.7.0 0.0.0.255
access-list 1 permit 10.170.8.0 0.0.3.255
access-list 1 permit 10.170.12.0 0.0.0.255
access-list 1 permit 10.170.13.0 0.0.0.255
access-list 1 permit 10.170.14.0 0.0.0.255
access-list 1 permit 10.170.15.0 0.0.0.255
!
access-list 120 permit ip host 10.170.8.2 host out.side.170.146
access-list 121 permit ip host 10.170.1.5 host 10.170.8.2
route-map server permit 10
match ip address 120
set interface Loopback0
!
route-map back permit 10
match ip address 121
set interface Loopback0
!
!
!
dial-peer cor custom
!
!
!
banner login ^C
******************** ATTENTION ********************
THIS IS A PRIVATE COMPUTER SYSTEM.
STATE AND FEDERAL STATUTES MAKE IT A CRIME TO GAIN
UNAUTHORIZED ACCESS INTO THIS COMPUTER SYSTEM.
VIOLATORS WILL BE PROSECUTED.
SYSTEM USE IS ONLY FOR AUTHORIZED PURPOSES.
******************** ATTENTION ********************
^C
!
line con 0
exec-timeout 60 0
transport input none
line aux 0
modem callout
transport preferred telnet
transport input all
stopbits 1
line vty 0 4
exec-timeout 60 0
password xxx
line vty 5 15
exec-timeout 60 0
password xxx
!
no scheduler allocate
end
01-17-2003 05:56 PM
Cannot be done via Cisco. The best way to circumvent this problem is via DNS. If you maintain your own DNS servers set up an external and internal DNS. The internal DNS will have the url resolve to the private IP while the external DNS will have the url resolve to the public ip. If you cannot do that, just add an entry into each workstations host table for url name to ip address. The host table will override any DNS lookup. Even windows boxes have an \etc\hosts file. Just search for the folder \etc to find the full path.
Kevin
01-17-2003 06:47 PM
Winnt 4.0/2000
C:\Winnt\system32\drivers\etc\host
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide