03-15-2012 02:49 PM - edited 03-04-2019 03:41 PM
Dear Experts,
we have a 2851 router which interconnect our local network to public network.
we recieve our internet on interface e0/1 and e0/0 restricted to our lan as below configs
int e0/0 192.168.10.1 255.255.255.0
ip nat inside
int e0/1 X.X.X.226 255.255.255.224
ip nat outside
! web server
ip nat inside source static x.x.x.245 192.168.10.9
! last resort (gateway)
ip route 0.0.0.0 0.0.0.0 x.x.x.225
Our users from internet (WAN) can access our web server without any problem.
but we cant access our web server with public address x.x.x.245 or equivalent domain name in our LAN
and we can only access it with local address 192.168.10.9 in our lan.
How can we access our web server with public FDQN domain name or public ip address from our LAN ?
Regards
hamid
Solved! Go to Solution.
03-17-2012 07:07 AM
I can see your internal DNS server is resolving the query with public address as shown below.
Trying www.mysite.com (*.*.*.245)...
Since your internal DNS server has no connection to public DNS servers, your internal DNS cname must point to private address instead of pointing to public address. Public DNS resolves the cname to public address and is functioning and likewise private DNS server inside your network must point to private ip address by doing so, your internal users cannot distinguish the cname in question whether it is resolve to public address or private address.
Thanks
Rizwan Rafeek
03-16-2012 01:12 AM
As per my understanding
when packet coming from LAN network it try to find out u r public ip its having only one default route towards ISP
if you add static route to interface which this public facing webserver is connected it start going through .
& Another thing is if you want to access the same site with private ip 192.168.10.9 ip contact u r webserver team I think if they add the private ip to some URL for internal users.
Regard
Ritesh
03-16-2012 01:46 AM
Thanks for your reply
we cant teach our users how access web server with internal ip address such as 192.168.10.9
all of them know our domain ip address such as mydomain.com So, after connecting to internet from our lan they suppose on a wan and they can connect to mydomain.com but they cant recieve any web pages. they can recieve all of other web pages except mydomain.com.
i test mydomain.com and equivalen public ip address from my home (WAN)and i recieved those web pages correctly but it is not probable from our lan.
How can you solve this problem ?
Regards
Hamid
03-16-2012 02:47 AM
Hi,
as dns doctoring should be the default on this router if you have a DNS record for your server FQDN on an external DNS server then the router should replace the public IP in the DNS reply with the private IP when accessing from the LAN.
Regards.
Alain
03-16-2012 07:25 AM
Hi hamid
It is a DNS issue but your nat is just fine.
try this...
Please be sure to enable domain-lookup and assign a name-server on the router.
ip domain-lookup
ip name-server 192.168.10.x X = equal to your dns server address
when enabled the above config.
try this....
issue the command below on the router, replace myservername with your cname of your FQDN.
router> myservername
example output
Translating ?myservername?...domain server (192.168.10.x) [OK]
myservername is cname of your FQDN will be resolved by your router.
If that does not help.
on the config mode try this...
ip host ns1.example.com 192.168.10.x
X is your private-translated address and ns1 is your cname.
I hope that helps.
Thanks
Rizwan Rafeek
03-17-2012 03:54 AM
Many thanks for your Responses
Our router responses for www.mysite.com FQDN and www are as below
Does FQDN is your purpose or only our server name?
router>www.mysite.com
Translating "www.mysite.com"...domain server (192.168.10.10) [OK]
Trying www.mysite.com (*.*.*.245)...
% Connection timed out; remote host not responding
router> www
Translating "www"...domain server (192.168.10.10)
Translating "www"...domain server (192.168.10.10)
(192.168.10.10)% Unknown command or computer name, or unable to find computer address
-----------------------------------------------------------------------------------------------------
Router>ping *.*.*.245
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to *.*.*.245 , timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Router>ping 192.168.10.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
-----------------------------------------------------------------------------------------------
Does it ok ?
if yes, our last problem exist.
Regards
Hamid
03-17-2012 07:07 AM
I can see your internal DNS server is resolving the query with public address as shown below.
Trying www.mysite.com (*.*.*.245)...
Since your internal DNS server has no connection to public DNS servers, your internal DNS cname must point to private address instead of pointing to public address. Public DNS resolves the cname to public address and is functioning and likewise private DNS server inside your network must point to private ip address by doing so, your internal users cannot distinguish the cname in question whether it is resolve to public address or private address.
Thanks
Rizwan Rafeek
03-17-2012 08:30 AM
Beside, your users are connected internal switch, a switch will switch-packet based on arp-cache lookup when it is one broadcast domain or FIB lookup in the layer3 platform, but if you are expecting function any other way by forwarding cname to public address in by-passing (or avoiding) inside interface of the router, is something out of the norm.
03-17-2012 12:40 PM
Thanks,
i resetup internal dns and our problem was solved in our clients. at now we have two dns servers
1 - Local dns
2 - Public Dns
But in my public dns i can not access to web server because it returns public ip address of www but we need internal address for connecting to internet.
can you solve it?
Regards
03-17-2012 06:33 PM
"my public dns i can not access to web server"
Since your public dns server is not authoritative for cname could create host "a" record (private ip record) and map the cname to host "a" record.
thanks
Rizwan Rafeek
03-19-2012 04:41 AM
Dear Rafeek,
many thanks for your solution
>>Since your public dns server is not authoritative for cname could create host "a" record (private ip record) and map the cname to host "a" record. <<
can you explain it a bit more ?
Regards
Hamid
03-19-2012 12:34 PM
I found the link below, which gives good explantion of host "a" record and cname.
http://support.easydns.com/tutorials/DNSsetup/areccname.php
thanks
03-21-2012 09:25 AM
if i understand correctly for accessing to my web server from my public dns with FQDN
we should define two A(Host) entries and one cname on public dns server.
1- www.mysite.com X.X.X.245 (For external Users)
2- www.mysite.com 192.168.10.9( For internal Users)
3- CNAME -->?
can you correct me ?
Regards
Hamid
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: