Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
369
Views
0
Helpful
2
Replies

Nat Problem - Can inside devices talk to the port forwarded inside devices

cisco
Level 1
Level 1

‎01-17-2003 03:39 PM - edited ‎03-02-2019 04:18 AM

I have a NAT problem I am trying to resolve. Can somebody help me?

I have a 2651 router performig NAT/PAT with many interfaces on it.

FastEthernet0/1 is my outside (ip nat outside) interface.

Several inside LAN interfaces are natted (ip nat inside)

I have some routes to other inside routers in my natted network.

My inside natted network is 10.170.0.0/20 broken down into several /24s interfaces

Everything talks and works. My web server on an outside IP address talks to everybody just fine. When I renumber my webserver from an outise IP address to 10.170.1.5/24 and place it on my ethernet numbered 10.170.1.1/24, everybody outisde can still get to the web server just fine. All of the internal natted networks can see 10.170.1.5 just fine.

The big problem is none of my internal natted networks can talk to my web server using the outside IP. I have way to many people, programs and machines to reconfigure to use the new inside IP address of the web server.

What can I do to make my inside natted networks talk to the webserver (now natted & port forwarded) so the same URLs and outside IP address still work to my inside network?

I have never been able to make this work on any Cisco IOS. I have found no examples on the Cisco site and I have found no documentation stating this is supported or not supported.

Does somebody have an example config I can take a look at which has the following:

1 outside nat/pat (overflow) interface

Internal access list 1 something like 10.170.0.0 0.0.15.255

several internal interfaces (broken down to /24s)

routes to other internal routers on internal network (route /24 to something)

Two or more web servers available to the outside Internet which numbered in the natted lan and port forwards allow the outside Internet (and inside intranet) to access the web servers using the outside IP address of the web servers.

I sure hope this is something that can be done.

Thank you in advance

Tom Jones

If this works - below is my current config

assume I have a valid outside /30 set of Internet IPs routed to my router. I want to place a web server inside on 10.170.1.5 and have it available as http://out.sideip.170.146 such that the inside PC machines and outside PC machine can still reach my web server by using http://out.sideip.170.146 although it is really at 10.170.1.5

!

version 12.2

no service single-slot-reload-enable

service nagle

no service pad

service timestamps debug datetime

service timestamps log datetime

service password-encryption

!

hostname xxx

!

logging buffered 4096 debugging

logging rate-limit 300

aaa new-model

aaa authentication login default local

enable secret xxx

enable password xxx

!

username xxx

username xxx

username xxx

username xxx

clock timezone PST 0

ip subnet-zero

no ip source-route

!

!

no ip finger

ip domain-name xxx

ip name-server out.side.160.10

ip name-server out.side.168.10

no ip dhcp conflict logging

!

no ip dhcp-client network-discovery

frame-relay switching

call rsvp-sync

!

!

!

!

!

!

!

!

interface Loopback0

ip address 10.10.10.1 255.255.255.0

ip nat outside

no ip route-cache

no ip mroute-cache

!

interface Loopback1

no ip address

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

description 802.1Q Tagged vlans (2651 router FastEthernet0/0 <--> 3550-48 switch FastEthernet0/3)

no ip address

no ip unreachables

no ip route-cache

no ip mroute-cache

speed 100

full-duplex

!

interface FastEthernet0/0.1

description Native vlan

encapsulation dot1Q 1 native

no ip route-cache

no ip mroute-cache

!

interface FastEthernet0/0.100

description out.side.x.x web server lan (out.side.170.113 255.255.255.240 is routed to this router)

encapsulation dot1Q 100

ip address out.side.170.113 255.255.255.240

no ip route-cache

no ip mroute-cache

!

interface FastEthernet0/0.102

description nternal network (was 10 meg card on router)

encapsulation dot1Q 102

ip address 10.170.0.1 255.255.255.0

ip nat inside

no ip route-cache

no ip mroute-cache

!

interface FastEthernet0/0.103

description DMZ #1 - Where I am trying to put my natted web servers from another IP route to this router

encapsulation dot1Q 103

ip address 10.170.1.1 255.255.255.0

ip nat inside

no ip route-cache

no ip mroute-cache

ip policy route-map back

!

interface Serial0/0

description GTE FrameRelay Interface

bandwidth 1500

no ip address

no ip unreachables

encapsulation frame-relay IETF

no ip route-cache

no ip mroute-cache

carrier-delay msec 0

fair-queue

!

interface Serial0/0.16 point-to-point

description (this 2651 router <---FrameRelay--> 1720 router) routed IPs 10.170.3/24 10.170.8/22

bandwidth 1500

ip address 10.170.4.5 255.255.255.252

no ip unreachables

ip nat inside

no ip route-cache

no ip mroute-cache

ip policy route-map server

carrier-delay msec 0

frame-relay interface-dlci 16 IETF

!

interface FastEthernet0/1

description Internet feed into this 2651 router FastEthernet0/1 <--> 3550-48 L3 FastEthernet0/15)

ip address out.side.170.138 255.255.255.252

no ip unreachables

ip nat outside

no ip route-cache

no ip mroute-cache

speed 100

full-duplex

!

interface Ethernet1/0

description Not Used - (2651 router Ethernet1/0 <--> 3550-48 switch FastEthernet0/2)

no ip address

no ip unreachables

shutdown

full-duplex

!

router ospf 10

log-adjacency-changes

redistribute connected subnets

redistribute static subnets

network 10.170.4.4 0.0.0.3 area 100

!

ip nat inside source list 1 interface FastEthernet0/1 overload

!

ip nat inside source static 10.170.1.5 out.side.170.146

! NOTE: I have a test web server sitting at 10.170.1.5 and it can be seen

! on the outside world as http://out.side.170.146

! My inside PCs can see http://10.170.1.5

! Problem - my inside PCs can not see http://out.side.170.146

!

ip nat inside source static tcp 10.170.3.40 5631 out.side.170.145 5631 extendable

ip nat inside source static udp 10.170.3.40 5632 out.side.170.145 5632 extendable

ip nat inside source static tcp 10.170.3.248 5631 out.side.170.144 5631 extendable

ip nat inside source static udp 10.170.3.248 5632 out.side.170.144 5632 extendable

ip nat inside source static tcp 10.170.3.140 1417 out.side.170.143 1417 extendable

ip nat inside source static udp 10.170.3.140 407 out.side.170.143 407 extendable

ip nat inside source static tcp 10.170.3.76 6502 out.side.170.141 6502 extendable

ip nat inside source static tcp 10.170.3.140 407 out.side.170.143 407 extendable

ip nat inside source static tcp 10.170.3.140 6502 out.side.170.143 6502 extendable

ip nat inside source static tcp 10.170.3.176 6502 out.side.170.142 6502 extendable

ip nat inside source static tcp 10.170.3.49 3389 out.side.170.140 3389 extendable

ip nat inside source static tcp 10.170.3.49 6502 out.side.170.140 6502 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 out.side.170.137

ip route 10.0.0.0 255.0.0.0 Null0

ip route 172.16.0.0 255.240.0.0 Null0

ip route 192.168.0.0 255.255.0.0 Null0

no ip http server

!

!

access-list 1 permit 10.170.0.0 0.0.0.255

access-list 1 permit 10.170.1.0 0.0.0.255

access-list 1 permit 10.170.2.0 0.0.0.255

access-list 1 permit 10.170.3.0 0.0.0.255

access-list 1 permit 10.170.4.0 0.0.0.255

access-list 1 permit 10.170.5.0 0.0.0.255

access-list 1 permit 10.170.6.0 0.0.0.255

access-list 1 permit 10.170.7.0 0.0.0.255

access-list 1 permit 10.170.8.0 0.0.3.255

access-list 1 permit 10.170.12.0 0.0.0.255

access-list 1 permit 10.170.13.0 0.0.0.255

access-list 1 permit 10.170.14.0 0.0.0.255

access-list 1 permit 10.170.15.0 0.0.0.255

!

access-list 120 permit ip host 10.170.8.2 host out.side.170.146

access-list 121 permit ip host 10.170.1.5 host 10.170.8.2

route-map server permit 10

match ip address 120

set interface Loopback0

!

route-map back permit 10

match ip address 121

set interface Loopback0

!

!

!

dial-peer cor custom

!

!

!

banner login ^C

******************** ATTENTION ********************

THIS IS A PRIVATE COMPUTER SYSTEM.

STATE AND FEDERAL STATUTES MAKE IT A CRIME TO GAIN

UNAUTHORIZED ACCESS INTO THIS COMPUTER SYSTEM.

VIOLATORS WILL BE PROSECUTED.

SYSTEM USE IS ONLY FOR AUTHORIZED PURPOSES.

******************** ATTENTION ********************

^C

!

line con 0

exec-timeout 60 0

transport input none

line aux 0

modem callout

transport preferred telnet

transport input all

stopbits 1

line vty 0 4

exec-timeout 60 0

password xxx

line vty 5 15

exec-timeout 60 0

password xxx

!

no scheduler allocate

end

Labels:
0 Helpful
2 Replies 2

kevin-reynolds
Level 1
Level 1

‎01-17-2003 05:56 PM

Cannot be done via Cisco. The best way to circumvent this problem is via DNS. If you maintain your own DNS servers set up an external and internal DNS. The internal DNS will have the url resolve to the private IP while the external DNS will have the url resolve to the public ip. If you cannot do that, just add an entry into each workstations host table for url name to ip address. The host table will override any DNS lookup. Even windows boxes have an \etc\hosts file. Just search for the folder \etc to find the full path.

Kevin

0 Helpful

rwcrowe
Level 1
Level 1
In response to kevin-reynolds

‎01-17-2003 06:47 PM

Winnt 4.0/2000

C:\Winnt\system32\drivers\etc\host

0 Helpful
Customers Also Viewed These Support Documents