Re: WEB Server Not accessible from Inside.

Hardik Pithadia · ‎10-07-2012

Dear Techies,

I am facing wierd problem at one of my client office, We have replaced small business router cisco RV042 with Cisco ISR router 2911, in that router we have configured NAT to allow internal user to access internet and port forwarding for outside user to access web servers and other application that are hosted internally.

we are not able to access www.test.com (name changed) from internally and one of the application that are runnning on port no. 8280., and same is working properly from outside the network.other application that running on 8287 is accessible form internally.

We are accessing with ip address http://192.168.1.51:8280. and www.test.com not working from inside.

But all works fine with old cisco RV042.

i am attaching both router config for reference, Please advice.

Thanks in Advance.

Hardik.

Giuseppe Larosa · ‎10-08-2012

Hello Hardik,

this quite a common question/issue

Cisco routers implement NAT in such a way that the web server should be accessed using the private IP address from the inside

>> We are accessing with ip address

http://192.168.1.51:8280

If this is acceptable to you and your users no further actions are required.

Edit:

I would remove the following command from internet facing interfaces as NAT is performed on each

>>ip load-sharing per-packet

so load balancing per packet has no sense here.

Hope to help

Giuseppe

Hardik Pithadia · ‎10-08-2012

Hi, Giuseppe

Yes we have removed the command ip load-sharing per-packet on both WAN interface, the problem is we are able to telnet on 192.168.1.51 on port no. 8280 from LAN, but when we access from web brower to use the application with URL http://192.168.1.51:8280 is is not working.

Same problem we are facing with www.test.com but that have solved with host entry on user machine.

can you explain what measure we can take to access with private ip 192.168.1.51:8280 from inside LAN. There is no any other vlan. server and users connected to same switch. we also replace the switch to check.

thanks,

hardik.

ryanoneil1980 · ‎10-08-2012

Hardik

What have you got in your internet proxy exceptions?

If you are able to get there by telnet then this is the only other thing it could possibly be ...

Ryan

Hardik Pithadia · ‎10-08-2012

Hi Ryan,

No, We dont have any proxy in between, Yes i am able to get there with telnet on mentioned port, But via Web Page we cant access this application.

We are also searching for that other thing.

Thanks,

Hardik.

ryanoneil1980 · ‎10-08-2012

hardik

What I meant was in your internet browser what have you got in your internet exceptions tab?

You should have 192.168.*.* for this to work ...

Ryan

Hardik Pithadia · ‎10-09-2012

Hi Ryan,

Sorry, I am not getting what you are saying, can u explain in detail.

for your reference we are using firefox.

Thanks,

Hardik.

cadet alain · ‎10-09-2012

Hi,

I think with what you describe that it is more a browser problem than a router problem.

clear your cache and verify your connection parameters in firefox.

Regards.

Alain

Don't forget to rate helpful posts.

Ryan-Kramer · ‎10-10-2012

If I understand you correctly you are trying to implement "NAT Hairpin". Meaning you are trying to access an internal server using the external IP address.

You have a few options, if you have an internal DNS server, simply create an A Record for www.test.com to the internal IP address.

If you do not have an internal DNS server you could look at implementing NAT NVI (ip nat enable) instead of traditional NAT (ip nat inside/outside)

NAT NVI supports hairpinning, as the order of operation is different.

NOTE: I have not tested this, make sure you backup your original configuration, in case this does not work.

Enable the Router Interfaces for NVI instead of Traditional NAT

interface GigabitEthernet0/0

no ip nat outside

ip nat enable

no ip redirects

interface GigabitEthernet0/1

no ip nat outside

ip nat enable

no ip redirects

interface GigabitEthernet0/2

no ip nat inside

ip nat enable

no ip redirects

Remove Traditional NAT Statements and replace with NVI NAT Statements

no ip nat inside source route-map isp1 interface GigabitEthernet0/0 overload

no ip nat inside source route-map isp2 interface GigabitEthernet0/1 overload

no ip nat inside source static tcp 192.168.1.51 80 49.248.102.45 80 extendable

no ip nat inside source static tcp 192.168.1.51 3389 49.248.102.45 3389 extendable

no ip nat inside source static tcp 192.168.1.51 8280 49.248.102.45 8280 extendable

no ip nat inside source static tcp 192.168.1.51 8281 49.248.102.45 8281 extendable

no ip nat inside source static tcp 192.168.1.51 8282 49.248.102.45 8282 extendable

no ip nat inside source static tcp 192.168.1.51 8283 49.248.102.45 8283 extendable

no ip nat inside source static tcp 192.168.1.51 8284 49.248.102.45 8284 extendable

no ip nat inside source static tcp 192.168.1.51 8285 49.248.102.45 8285 extendable

no ip nat inside source static tcp 192.168.1.51 8286 49.248.102.45 8286 extendable

no ip nat inside source static tcp 192.168.1.51 8287 49.248.102.45 8287 extendable

no ip nat inside source static tcp 192.168.1.51 80 182.73.64.66 80 extendable

no ip nat inside source static tcp 192.168.1.51 3389 182.73.64.66 3389 extendable

no ip nat inside source static tcp 192.168.1.51 8280 182.73.64.66 8280 extendable

no ip nat inside source static tcp 192.168.1.51 8281 182.73.64.66 8281 extendable

no ip nat inside source static tcp 192.168.1.51 8282 182.73.64.66 8282 extendable

no ip nat inside source static tcp 192.168.1.51 8283 182.73.64.66 8283 extendable

no ip nat inside source static tcp 192.168.1.51 8284 182.73.64.66 8284 extendable

no ip nat inside source static tcp 192.168.1.51 8285 182.73.64.66 8285 extendable

no ip nat inside source static tcp 192.168.1.51 8286 182.73.64.66 8286 extendable

no ip nat inside source static tcp 192.168.1.51 8287 182.73.64.66 8287 extendable

no ip nat inside source static tcp 192.168.1.52 3390 182.73.64.66 3390 extendable

no ip nat inside source static tcp 192.168.1.43 90 182.73.64.66 90 extendable

no ip nat inside source static tcp 192.168.1.43 8000 182.73.64.66 8000 extendable

ip nat source route-map isp1 interface GigabitEthernet0/0 overload

ip nat source route-map isp2 interface GigabitEthernet0/1 overload

ip nat source static tcp 192.168.1.51 80 49.248.102.45 80 extendable

ip nat source static tcp 192.168.1.51 3389 49.248.102.45 3389 extendable

ip nat source static tcp 192.168.1.51 8280 49.248.102.45 8280 extendable

ip nat source static tcp 192.168.1.51 8281 49.248.102.45 8281 extendable

ip nat source static tcp 192.168.1.51 8282 49.248.102.45 8282 extendable

ip nat source static tcp 192.168.1.51 8283 49.248.102.45 8283 extendable

ip nat source static tcp 192.168.1.51 8284 49.248.102.45 8284 extendable

ip nat source static tcp 192.168.1.51 8285 49.248.102.45 8285 extendable

ip nat source static tcp 192.168.1.51 8286 49.248.102.45 8286 extendable

ip nat source static tcp 192.168.1.51 8287 49.248.102.45 8287 extendable

ip nat source static tcp 192.168.1.51 80 182.73.64.66 80 extendable

ip nat source static tcp 192.168.1.51 3389 182.73.64.66 3389 extendable

ip nat source static tcp 192.168.1.51 8280 182.73.64.66 8280 extendable

ip nat source static tcp 192.168.1.51 8281 182.73.64.66 8281 extendable

ip nat source static tcp 192.168.1.51 8282 182.73.64.66 8282 extendable

ip nat source static tcp 192.168.1.51 8283 182.73.64.66 8283 extendable

ip nat source static tcp 192.168.1.51 8284 182.73.64.66 8284 extendable

ip nat source static tcp 192.168.1.51 8285 182.73.64.66 8285 extendable

ip nat source static tcp 192.168.1.51 8286 182.73.64.66 8286 extendable

ip nat source static tcp 192.168.1.51 8287 182.73.64.66 8287 extendable

ip nat source static tcp 192.168.1.52 3390 182.73.64.66 3390 extendable

ip nat source static tcp 192.168.1.43 90 182.73.64.66 90 extendable

ip nat source static tcp 192.168.1.43 8000 182.73.64.66 8000 extendable

Hardik Pithadia · ‎10-11-2012

Hi Guys,

Thanks for your participation, Will check and conform.

Thanks,

Hardik.