Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT/PAT loopback

Hi, hope someone can help me with this.

i have an exchange server with static PAT on vlan1, server is accessible from the internet, but not from the local vlan1 because DNS points to WAN ip. Solved that by putting an entry in the local DNS server to the internal ip of the Exchangeserver. Works great for pc's and laptops but the problem is, this doesnot work for Iphones, Ipads and some Nokia smartphones. Those devices keep their DNS entries for a long time so a lot of people complain that they cannot get their email.

I already looked into the NAT on a stick solution but cannot get that working.

WAN IP:67.66.x.x

VLAN1 IP:192.168.115.253/24

VLAN2 IP: 10.96.45.254/24

Exchange server: 192.168.115.11

I already tried to create a loopback interface but i cannot get it to NAT the traffic to the Exchangeserver. Can somebody please help me to get this fixed

Current nat config:

interface FastEthernet0
description VLAN1SWITCH
no ip address
!
interface FastEthernet1
description VLAN2
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface GigabitEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip nat outside
ip virtual-reassembly in

!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.115.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 10.96.45.254 255.255.255.0
ip nat inside
ip virtual-reassembly in

!

ip nat pool LAN_TO_DMZ 10.96.45.96 10.96.45.223 netmask 255.255.255.0
ip nat inside source static tcp 192.168.115.11 80 interface GigabitEthernet0 80
ip nat inside source static tcp 192.168.115.11 443 interface GigabitEthernet0 443
ip nat inside source list 105 interface GigabitEthernet0 overload
ip nat inside source route-map SDM_RMAP_2 pool LAN_TO_DMZ overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 dhcp
!
access-list 104 remark NAT pool DMZ
access-list 104 deny   ip 10.96.45.0 0.0.0.255 10.16.0.0 0.0.255.255
access-list 104 permit ip 192.168.115.0 0.0.0.255 any
access-list 105 remark NAT pool INTERNET
access-list 105 deny   ip 192.168.115.0 0.0.0.255 10.16.0.0 0.0.255.255
access-list 105 permit ip 192.168.115.0 0.0.0.255 any
!
route-map SDM_RMAP_2 permit 1
match ip address 104
!

  • WAN Routing and Switching
5 REPLIES

NAT/PAT loopback

can you please explain what you trying to achieve with the nat on stick ?

New Member

Re: NAT/PAT loopback

I want to be able to use the WAN IP to access the exchange server from the local LAN.

Currently it is only possible to acces the exchange server from the internet with WANIP, but from lan you have to use the LANIP of the server.

Hop this explains my goal.

WAN interface= GigabitEthernet0

LAN interface= VLAN1 on FA0

New Member

Re: NAT/PAT loopback

I see the logic of what you're trying to accomplish, but it won't work with NAT.  You have an ip nat outside on gi0, and ip nat inside on both fa0 and fa1.  One is your Lan devices, the other one is your exchange server.  You want to translate your lan devices on fa1 to a 67 address in hopes that the traffic will reach your exchange sever with a source of 67 which is outside.

1.  The nat inside on fa1 will translate every device on that vlan mobile devices or not to the 67 address.  So devices that were working will not longer work.

2.  You're expecting the router to receive a 67 packet from fa1 as a source and resend it right back in to the exchange server that has a 192 address.  So if you look at that triangle it's not gonna work no matter how you nat it.  Because the router will receive the 67 from fa1, then it won't know what to do with it because it cannot NAT in reverse.  NAT = one direction per interface.  So it will never translate the 67 to 192, and it will drop the packet.

I can think of one way that will work.  It's to do a static nat for the exchange server to a specific 67 address.  Not interface gi0.  A static that is bidirectional, and I think your scenario will then work.

GL

Re: NAT/PAT loopback

Hello

Why would you want your internal clients to access this internal server by its public ip?

For these clients - maybe add additional public server addresses your existing dns scope

Res
Paul

Sent from Cisco Technical Support iPad App

Please don't forget to rate any posts that have been helpful. Thanks.

Re: NAT/PAT loopback

You need to use cisco NAT virtual interface,

Example:

your internal network web server ip 192.168.1.10/24 Fa0 router Fa1 Public Ip address 1.1.1.1

here is what you need to configure in NAT router to resolve your issue:

int fa0

ip nat enable

no ip redirects

int fa 1

ip nat enable

no ip redirects

ip nat source static tcp 192.168.1.10 80 1.1.1.1 80 overload

ip nat source list 1 interface fa0 overload

access-list 1 permit 192.168.1.0 0.0.0.255

now you can try access to your 1.1.1.1:80 from inside network.

905
Views
0
Helpful
5
Replies
This widget could not be displayed.