Hi, I just got a C800 series router running on static internet IP at the WAN port and having 2 VLANs as inside interface. Ports forwarding has defined for Internet to the application in order for Internet users to access the application. Due the application limitation, the client program has hardened with public IP to access the server. is there anyway that the user can access the the server thru public IP even though their connected to internal network? Currently, the user cannot access the server once they back to office unless change the reconfiguration the client software back to private ip. probably you will have a better view by refering to below.
WAN IP: 188.8.131.52
VLAN 10: 192.168.1.0/24 (SVRFARM)
VLAN 20: 192.168.2.0/24 (USER)
application server IP: 192.168.1.99/24
application client software harden with 184.108.40.206 TCP port 9090 to access from Internet
Port forwarding: 220.127.116.11 TCP port 9090 to 192.168.1.99 TCP port 9090 (allow user to access thru Internet)
User have to manual reconfiguration the client software from 18.104.22.168 to 192.168.1.99 once he is connected to VLAN 20.
I'm wondering is it posibble to use ip nat inside destination just to translate destination IP back to private ip for the traffic from VLAN 20 to VLAN 10?
hope that someone can help me... thanks.
Check for errors on your device , i think the user is not able to access the public ip because of Hairpinning.
can please check the logs for ip spoof denied messages or errors ?
Please post port redirection nat statement as i did this on a cisco asa , never on router , so i need to see it.
Hi, you may refer the attachment for the overview diagram. below is the configuration. i see nothing from the router log. anyway to traslate the destination IP from inside to inside traffic? hope that you can help me us everytime the user back to office need to harden the client software to private ip in order to work at office. thanks.
description SDSL Link
ip address 22.214.171.124 255.255.255.252
ip access-group DENY_ROGUE_ATTACK in
ip nat outside
description Server Farm Segment
ip address 192.168.1.1 255.255.255.0
ip pim sparse-mode
ip nat inside
description User Segment
ip address 192.168.2.1 255.255.255.0
ip pim sparse-mode
ip nat inside
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip nat inside source list 80 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.99 9090 126.96.36.199 9090 extendable
access-list 80 remark Inside NAT Subnet
access-list 80 permit 192.168.1.0 0.0.0.255
access-list 80 permit 192.168.2.0 0.0.0.255
It appears that your best bet may be using DNS. Do you have internal DNS Server? Can your client be configured instead of IP to use a FQDN? If answer is Yes on both, then:
1. Register your public IP address (request with your ISP) with a unique FQDN (ex. app.company.com)
2. Add the new name into your internal DNS server records
3. Replace client's configuration from 192.168.1.99 or 188.8.131.52 to app.company.com.
Clients now will respond consistently same way and you don't have to change anything, whather they work from home or office. Keep in mund that if in the future you want to add more apps, then you may need more public IP addresses/fqdn registrations.
Lemeno if that solution works for you,
In case you don't have DNS Server and your DHCP Server assigns router's interface for both Gateway and DNS, you can use your router as a DNS server to add a FQDN for resolution. Here are the commands:
ip dns server
ip host app.company.com 192.168.1.99
currently, the user is running dhcp and i have configured dhcp setting that push ISP public DNS server to their laptop. if i use this method, i need to change the dhcp setting so that i will push vlan interface ip as their dns server while the router will become the rely?
In that case:
1. nslookup yr public IP
2. If it resolves, use that name as [app.company.com]
3. If not, request your ISP to associate your public IP address to an unique FQDN (ex. app.company.com)
4. Reconfigure DHCP server to assign primary DNS=192.168.2.1, secondary and tritery=Public DNS servers
5. Add the following commands to your router:
host app.company.com 192.168.1.99
ip domain lookup
ip name-server server-address1 [server-address2 ... server-address6] <<< don't add your local dns ip address here
6. Replace client's configuration from 192.168.1.99 or 184.108.40.206 to: app.company.com
In case of 220.127.116.11, app.company.com resolves by public dns to fqdn: ti300710a340-0088.bb.online.no
C:\Documents and Settings\Stanley>nslookup 18.104.22.168
Questions is, can the client be configured to use FQDN instead of IP? If yes, (per above example) ponting to: "ti300710a340-0088.bb.online.no" should now work from both home and office.
Just to answer directly your question.
"is it posibble to use ip nat inside destination just to translate destination IP back to private ip for the traffic from VLAN 20 to VLAN 10?"
Not with the router. As an example, if you server is linux to internaly nat, coupled with a static route on your router should do. However Cisco can't static nat internal to internal (to my knowledge), hence I recommended dns solution that works everytime. Also see:http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
ip nat inside source
· Translates the source of IP packets that are traveling inside to outside.
· Translates the destination of the IP packets that are traveling outside to inside.
ip nat outside source
· Translates the source of the IP packets that are traveling outside to inside.
· Translates the destination of the IP packets that are traveling inside to outside.
Thanks for your great help.. let me try and probably enable DNS server at the router to have a static hostname redirect to private IP will be sufficient. Thanks you very much for your great idea