Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access lan resources using wan ip address from lan

Hi,

Our router (integrated services 2811) PAT to a single sub net. We have a web server located on the sub net.

When using public DNS from a computer on the LAN (other than the web server) we obviously get the public IP address for our website. This results in the request being sent to the WAN port of the router. Even though the router is configured to forward port 80 on the WAN port to the web server, it does not forward the request if the request originally came from the LAN.

Quite simply, the question is: How do you forward LAN requests made to the public IP address (WAN) on the router back into the LAN?

From what I have found online is that this is nearly impossible to do. If it is, why? A cheap Lynksys router does it quite easily.

17 REPLIES

Re: Access lan resources using wan ip address from lan

It sounds like the easiest way to do it is use an internal DNS server, and put your A records to resolve to the local address and not use public DNS servers. Then you would set your DNS server as a forwarder to query any records that your DNS server doesn't know of.

HTH

John

HTH, John *** Please rate all useful posts ***
New Member

Re: Access lan resources using wan ip address from lan

I agree with you. BUT.

History:

We have a province wide domain, interconnected with VPN's. There is no routing enabled on the servers running the VPN's. Since DNS is active directory integrated, all locations receive the private IP address for the web server. Since there is no routing between locations, we need them to receive the public IP address via DNS.

So we have three options:

1. Change the host entry on all our computers (several hundred) to point to the public IP address. (this posses a problem with users with laptops as sometimes they are in the same office as the web server).

2. Some how get the router to forward the requests as laid out in the question.

3. Some how get our active directory integrated DNS to spit out a public IP address if the request is from one of the remote locations, but the private IP address if the request is from the location with the web server in it. (Not sure if this is even possible)

PS. Thanks for the reply :-)

Re: Access lan resources using wan ip address from lan

Do you have a quick topology of how you're laid out?

HTH, John *** Please rate all useful posts ***
New Member

Re: Access lan resources using wan ip address from lan

I've attached a very quick diagram of our network. I hope it is detailed enough for what you are looking for. It is pretty basic. One note, the VPN's are tunneled through the cisco. The cisco is not supplying the VPN connection.

Thanks.

Re: Access lan resources using wan ip address from lan

Okay,

You're topology doesn't really show me what I was looking for, and it's probably because I may not have been clear enough.

"interconnected with VPN's. There is no routing enabled on the servers running the VPN's." Where are these VPNs terminating? Provider's router, server, your router, etc.

You said that the VPNs are tunneled through the cisco, but the cisco isn't the termination point, so what is?

You said that the remote sites are DNS integrated, but do they run their own servers, or are their DNS settings on your server?

My understanding of your goal, and please correct me if I'm wrong, is the following:

You want to be able to provide the DNS clients on the other side of the tunnel your public address for your web server? Forgive me if I'm a little lost.

You also said that VPN wasn't routed. Does that mean that you're not using NAT, or you're split tunneling?

HTH, John *** Please rate all useful posts ***
New Member

Re: Access lan resources using wan ip address from lan

Sorry to confuse you. Here are the answers to your questions:

"interconnected with VPN's. There is no routing enabled on the servers running the VPN's." Where are these VPNs terminating? Provider's router, server, your router, etc.

You said that the VPNs are tunneled through the cisco, but the cisco isn't the termination point, so what is?

The PDC Emulator (The domain controller in the main site - this is the same site as the web server).

You said that the remote sites are DNS integrated, but do they run their own servers, or are their DNS settings on your server?

The run their own servers (they are domain controllers), which pull the DNS settings from the main site Domain Controller through Active Directory.

My understanding of your goal, and please correct me if I'm wrong, is the following:

You want to be able to provide the DNS clients on the other side of the tunnel your public address for your web server? Forgive me if I'm a little lost.

Yes. Keeping in mind that the DNS settings made in one location propogates to the other locations via Active Directory because it is Active Directory integrated DNS.

You also said that VPN wasn't routed. Does that mean that you're not using NAT, or you're split tunneling?

(This might confuse you more). Each location is natted to the Internet. The VPN is a single tunnel from one server to the PDC emulator server. No other computers, routers or servers can access this VPN. Pretty much a one to one tunnel. (I suppose you could call it split tunneling, but with access to only one network resource). The whole point of the VPN is to allow Active Directory Synchronization.

Hopefully that answers your questions :-)

Re: Access lan resources using wan ip address from lan

So what side are you having the problem with? The hosts on the other side of the tunnel can't get to your internal website? Can the hosts on your side see your website? Does this website have a public or private address?

I'm thinking of you pushing HOSTS files to the clients on the one's that need to see the public address.

HTH, John *** Please rate all useful posts ***
New Member

Re: Access lan resources using wan ip address from lan

Well, we've tried two things.

1. If we put the DNS entry for the website in the internal DNS as the private IP, then all the clients in the locations other than the main office can't access it.

2. If we put the DNS entry for the website in the internal DNS as the public IP, then all the clients in the main office can't access the website.

Re: Access lan resources using wan ip address from lan

Can you post your config from your main router and a client router? Take out the live addresses.

HTH, John *** Please rate all useful posts ***
New Member

Re: Access lan resources using wan ip address from lan

Here is the main router config. Since the client locations are not hosting any publicly accessible services, they have a small Linksys rvl200 router. I don't think that I can give a config for it. It isn't configured for anything except the admin password and some port forwarding for administrative access to the domain controller.

Note: public IP's have been replaced with 1.1.1.1 and 1.1.1.2.

Note 2: This router was configured mainly with the SDM webpage.

Re: Access lan resources using wan ip address from lan

Are your client side networks on:

10.10.10.0

10.10.30.0

10.10.60.0

10.10.20.0

Do they get to you through the VPN?

HTH, John *** Please rate all useful posts ***
New Member

Re: Access lan resources using wan ip address from lan

Only 10.10.10.0 is used on the client side in the main office. The other three are old configurations that should have been deleted, but are currently not being used. The were previously being used as VLANs

Re: Access lan resources using wan ip address from lan

So, what is the private address for the other side? Will I see them in this config, or do they use the dialer profile to come in on?

You said that they have all of their own servers, so are they always connected to the VPN? Do they access other resources on your network?

HTH, John *** Please rate all useful posts ***
New Member

Re: Access lan resources using wan ip address from lan

So, what is the private address for the other side? 10.10.130.0

Will I see them in this config? No

Do they use the dialer profile to come in on? Yes

You said that they have all of their own servers, so are they always connected to the VPN? Yes

Do they access other resources on your network? Yes, Exchange Server which has the same problem.

New Member

Re: Access lan resources using wan ip address from lan

Going home now so won't be back till Tuesday (long weekend). Will continue the discussion then.

Re: Access lan resources using wan ip address from lan

Here's the issue (I think)

I don't know about Microsoft's VPN server (Remote Access Server?), but you should find a way to tell it to NOT nat traffic destined for the 10.10.130.0 subnet, but you can NAT everything else.

What I think is happening is the network on your side is the return traffic is being natted which is why your clients on the dial up side can't see the DNS server on it's private interface.

The two endpoints of the VPN (both public interfaces) are transparent after a VPN tunnel is established. The private networks on both ends should be like it's in your same office. When a person from the 10.10.130.0 network makes a request to the 10.10.10.0 network, it shouldn't be natted at all, and you should find a way to exclude those. Can you ping a host across the tunnel? If not, you are trying to nat the connection.

Here's a starting point:

http://technet.microsoft.com/en-us/library/cc780391.aspx

Hopefully this helps.

John

HTH, John *** Please rate all useful posts ***
New Member

Re: Access lan resources using wan ip address from lan

Hi again.

We can currently ping from any host on the main network (the one with the web server) to any vpn connected client (such as a server in a remote site). We can only ping from the client connected to the VPN in the remote office to any client in the main office as expected.

I suppose that if we would enable Routing and Remote access on the servers that then we would be combining all our networks into one routed network. We could then set the DNS to the internal IP address of the web server. The problem I see with that is that the entire network will be browse-able by any client. I am not aware of any way to turn off network discovery over a VPN hosted by a Microsoft OS. Also, should one of our offices be infected with a virus, this could increase how wide spread of an impact it has.

Thoughts?

302
Views
0
Helpful
17
Replies