Issue with NAT, ACL. Cannot connect to web server from inside network.
Have been working on this 2621xm IOS 12.1(18)router config for some time and have most working but now cannot acess the webserver of ip 192.168.3.xx. I have NAT inside source static tcp 192.168.3.xx 80 65.32.15.xx 80 extendable in list. Strange.....It can be accessed correctly from the internet but not from the inside of the network. Cannot connect from the inside using the ip address of the webserver nor the http://www.domainname.com. The 65.32.15.xx is also the outside interface of the router but should nat to private address of 192.168.3.xx:80 which it does from the internet but not from inside network.
My config is as follows. Any help to get the NAT or route correct so I can connect internally and externally will be appreciated greatly!!!
I realize I have a lot of trash in the acl and it is not very secure. My intention was to get hings "up" and then begin securing it more.
thanks!! Please help!! I've xed out some of the ips for some security.
Current configuration : 3051 bytes
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
enable secret 5 $1$nKAq$GvomCOuYV.KRYYSgOJX.p0
enable password 7 133505431101267B3F2720
ip name-server 65.32.x.65
ip name-server 65.32.x.70
description Private Interface
ip address 192.168.x.1 255.255.255.0
ip access-group 100 in
ip nat inside
no ip mroute-cache
no cdp enable
description Public Interface
ip address 65.32.x.86 255.255.255.192 secondary
ip address 65.32.x.87 255.255.255.192
ip access-group 101 in
ip access-group 100 out
ip nat outside
no ip mroute-cache
no cdp enable
ip nat inside source list 7 interface FastEthernet0/1 overload
ip nat inside source static 192.168.x.159 65.x.15.86
Re: Issue with NAT, ACL. Cannot connect to web server from insid
The results you are seeing are correct. The global addresses (65.32.15.x) are only valid on the outside and the local addresses (192.168.3.x) are only valid on the inside. The reason this fails is because:
1.Host 1 browses to the internal Web Server using its URL (www.domainname.com).
2.Host 1s browser sends a DNS request to the external DNS server to resolve domainname.com to its IP address.
3.The external DNS server replies with the global IP address of 65.32.15.x.
4.Host 1s browser now attempts to make a connection with 65.32.15.x and sends the traffic to its default gateway, fa0/0.
5.Routing takes place, and the router sends this traffic out the fa0/1 interface. As this occurs, the source IP address is translated since it has traversed both a NAT inside and outside interface.
6.The ISP notes the destination address (65.32.15.x) is routed back out the same interface it came in on, and the traffic comes back to the fa0/1 interface.
7.Since fa0/1 is a NAT outside interface, the source and destination addresses are translated. The packet now has a source of 192.168.x.x and a destination of 192.168.3.x.
8. The Web Server receives the TCP request from Host 1 and, noting that it is a local address, replies directly to Host 1.
9.Host 1 receives a reply from its TCP request; however, since it receives it from 192.168.3.x and not 63.32.15.x as it was expecting, it drops the packet.
The way to solve this problem is to use an internal DNS server or set up host files on all your internal users.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...