Solved: Re: We cant access web server from our LAN

hamidrezaaf · ‎03-15-2012

Dear Experts,

we have a 2851 router which interconnect our local network to public network.

we recieve our internet on interface e0/1 and e0/0 restricted to our lan as below configs

int e0/0 192.168.10.1 255.255.255.0

ip nat inside

int e0/1 X.X.X.226 255.255.255.224

ip nat outside

! web server

ip nat inside source static x.x.x.245 192.168.10.9

! last resort (gateway)

ip route 0.0.0.0 0.0.0.0 x.x.x.225

Our users from internet (WAN) can access our web server without any problem.

but we cant access our web server with public address x.x.x.245 or equivalent domain name in our LAN

and we can only access it with local address 192.168.10.9 in our lan.

How can we access our web server with public FDQN domain name or public ip address from our LAN ?

Regards

hamid

rizwanr74 · ‎03-17-2012

I can see your internal DNS server is resolving the query with public address as shown below.

Trying www.mysite.com (*.*.*.245)...

Since your internal DNS server has no connection to public DNS servers, your internal DNS cname must point to private address instead of pointing to public address. Public DNS resolves the cname to public address and is functioning and likewise private DNS server inside your network must point to private ip address by doing so, your internal users cannot distinguish the cname in question whether it is resolve to public address or private address.

Thanks

Rizwan Rafeek

View solution in original post

r.malviya · ‎03-16-2012

As per my understanding

when packet coming from LAN network it try to find out u r public ip its having only one default route towards ISP

if you add static route to interface which this public facing webserver is connected it start going through .

& Another thing is if you want to access the same site with private ip 192.168.10.9 ip contact u r webserver team I think if they add the private ip to some URL for internal users.

Regard

Ritesh

hamidrezaaf · ‎03-16-2012

Thanks for your reply

we cant teach our users how access web server with internal ip address such as 192.168.10.9

all of them know our domain ip address such as mydomain.com So, after connecting to internet from our lan they suppose on a wan and they can connect to mydomain.com but they cant recieve any web pages. they can recieve all of other web pages except mydomain.com.

i test mydomain.com and equivalen public ip address from my home (WAN)and i recieved those web pages correctly but it is not probable from our lan.

How can you solve this problem ?

Regards

Hamid

cadet alain · ‎03-16-2012

Hi,

as dns doctoring should be the default on this router if you have a DNS record for your server FQDN on an external DNS server then the router should replace the public IP in the DNS reply with the private IP when accessing from the LAN.

Regards.

Alain

Don't forget to rate helpful posts.

rizwanr74 · ‎03-16-2012

Hi hamid

It is a DNS issue but your nat is just fine.

try this...

Please be sure to enable domain-lookup and assign a name-server on the router.

ip domain-lookup
ip name-server 192.168.10.x X = equal to your dns server address

when enabled the above config.

try this....

issue the command below on the router, replace myservername with your cname of your FQDN.

router> myservername

example output

Translating ?myservername?...domain server (192.168.10.x) [OK]

myservername is cname of your FQDN will be resolved by your router.

If that does not help.

on the config mode try this...

ip host ns1.example.com 192.168.10.x

X is your private-translated address and ns1 is your cname.

I hope that helps.

Thanks

Rizwan Rafeek

hamidrezaaf · ‎03-17-2012

Many thanks for your Responses

Our router responses for www.mysite.com FQDN and www are as below

Does FQDN is your purpose or only our server name?

router>www.mysite.com

Translating "www.mysite.com"...domain server (192.168.10.10) [OK]

Trying www.mysite.com (*.*.*.245)...

% Connection timed out; remote host not responding

router> www

Translating "www"...domain server (192.168.10.10)

(192.168.10.10)% Unknown command or computer name, or unable to find computer address

-----------------------------------------------------------------------------------------------------

Router>ping *.*.*.245

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to *.*.*.245 , timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Router>ping 192.168.10.9

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.9, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

-----------------------------------------------------------------------------------------------

Does it ok ?

if yes, our last problem exist.

Regards

Hamid

rizwanr74 · ‎03-17-2012

I can see your internal DNS server is resolving the query with public address as shown below.

Trying www.mysite.com (*.*.*.245)...

Since your internal DNS server has no connection to public DNS servers, your internal DNS cname must point to private address instead of pointing to public address. Public DNS resolves the cname to public address and is functioning and likewise private DNS server inside your network must point to private ip address by doing so, your internal users cannot distinguish the cname in question whether it is resolve to public address or private address.

Thanks

Rizwan Rafeek

rizwanr74 · ‎03-17-2012

Beside, your users are connected internal switch, a switch will switch-packet based on arp-cache lookup when it is one broadcast domain or FIB lookup in the layer3 platform, but if you are expecting function any other way by forwarding cname to public address in by-passing (or avoiding) inside interface of the router, is something out of the norm.

hamidrezaaf · ‎03-17-2012

Thanks,

i resetup internal dns and our problem was solved in our clients. at now we have two dns servers

1 - Local dns

2 - Public Dns

But in my public dns i can not access to web server because it returns public ip address of www but we need internal address for connecting to internet.

can you solve it?

Regards

rizwanr74 · ‎03-17-2012

"my public dns i can not access to web server"

Since your public dns server is not authoritative for cname could create host "a" record (private ip record) and map the cname to host "a" record.

thanks

Rizwan Rafeek

hamidrezaaf · ‎03-19-2012

Dear Rafeek,

many thanks for your solution

>>Since your public dns server is not authoritative for cname could create host "a" record (private ip record) and map the cname to host "a" record. <<

can you explain it a bit more ?

Regards

Hamid

rizwanr74 · ‎03-19-2012

I found the link below, which gives good explantion of host "a" record and cname.

http://support.easydns.com/tutorials/DNSsetup/areccname.php

thanks

hamidrezaaf · ‎03-21-2012

if i understand correctly for accessing to my web server from my public dns with FQDN

we should define two A(Host) entries and one cname on public dns server.

1- www.mysite.com X.X.X.245 (For external Users)

2- www.mysite.com 192.168.10.9( For internal Users)

3- CNAME -->?

can you correct me ?

Regards

Hamid