02-13-2003 07:57 PM - edited 02-20-2020 09:20 PM
Have been working on this 2621xm IOS 12.1(18)router config for some time and have most working but now cannot acess the webserver of ip 192.168.3.xx. I have NAT inside source static tcp 192.168.3.xx 80 65.32.15.xx 80 extendable in list. Strange.....It can be accessed correctly from the internet but not from the inside of the network. Cannot connect from the inside using the ip address of the webserver nor the http://www.domainname.com. The 65.32.15.xx is also the outside interface of the router but should nat to private address of 192.168.3.xx:80 which it does from the internet but not from inside network.
My config is as follows. Any help to get the NAT or route correct so I can connect internally and externally will be appreciated greatly!!!
I realize I have a lot of trash in the acl and it is not very secure. My intention was to get hings "up" and then begin securing it more.
thanks!! Please help!! I've xed out some of the ips for some security.
Current configuration : 3051 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname rtrname
enable secret 5 $1$nKAq$GvomCOuYV.KRYYSgOJX.p0
enable password 7 133505431101267B3F2720
!
!
!
!
!
ip subnet-zero
ip name-server 65.32.x.65
ip name-server 65.32.x.70
interface FastEthernet0/0
description Private Interface
ip address 192.168.x.1 255.255.255.0
ip access-group 100 in
ip nat inside
no ip mroute-cache
speed 100
full-duplex
no cdp enable
!
interface FastEthernet0/1
description Public Interface
ip address 65.32.x.86 255.255.255.192 secondary
ip address 65.32.x.87 255.255.255.192
ip access-group 101 in
ip access-group 100 out
ip nat outside
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
ip nat inside source list 7 interface FastEthernet0/1 overload
ip nat inside source static 192.168.x.159 65.x.15.86
ip nat inside source static tcp 192.168.x.11 20 65.32.x.87 20 extendable
ip nat inside source static tcp 192.168.x.11 21 65.32.x.87 21 extendable
ip nat inside source static tcp 192.168.x.11 80 65.32.x.87 80 extendable
ip nat inside source static tcp 192.168.x.11 16893 65.32.x.87 16893 extendable
ip nat inside source static tcp 192.168.x.13 16894 65.32.x.87 16894 extendable
ip nat inside source static tcp 192.168.x.12 16895 65.32.x.87 16895 extendable
ip nat inside source static tcp 192.168.x.11 24176 65.32.x.87 24176 extendable
ip nat inside source static tcp 192.168.x.13 24177 65.32.x.87 24177 extendable
ip nat inside source static tcp 192.168.x.12 24178 65.32.x.87 24178 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 65.32.x.65 permanent
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 192.168.x.0 255.255.255.0 FastEthernet0/1 permanent
no ip http server
!
access-list 7 permit 192.168.x.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 permit gre any host 65.32.x.86
access-list 101 permit ip 192.168.x.0 0.0.0.255 any
access-list 101 permit tcp any host 65.32.x5.87 eq www
access-list 101 permit tcp any host 65.32.x.87 eq 16893
access-list 101 permit tcp any host 65.32.x.87 eq 16894
access-list 101 permit tcp any host 65.32.x.87 eq 16895
access-list 101 permit tcp any host 65.32.x.87 eq 24176
access-list 101 permit tcp any host 65.32.x.87 eq 24177
access-list 101 permit tcp any host 65.32.x.87 eq 24178
access-list 101 permit tcp any host 65.32.x.87 eq ftp
access-list 101 permit tcp any host 65.32.x.87 eq ftp-data
access-list 101 permit tcp any host 65.32.x.86 eq 1723
access-list 101 permit tcp any host 65.32.x.86
access-list 101 permit tcp any eq www host 65.32.x.87
access-list 101 permit tcp any any established
access-list 101 permit udp any eq domain host 65.32.x.87
no cdp run
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 wjrbnfibvnvaebv
login
end.
02-17-2003 07:56 AM
The results you are seeing are correct. The global addresses (65.32.15.x) are only valid on the outside and the local addresses (192.168.3.x) are only valid on the inside. The reason this fails is because:
1.Host 1 browses to the internal Web Server using its URL (www.domainname.com).
2.Host 1s browser sends a DNS request to the external DNS server to resolve domainname.com to its IP address.
3.The external DNS server replies with the global IP address of 65.32.15.x.
4.Host 1s browser now attempts to make a connection with 65.32.15.x and sends the traffic to its default gateway, fa0/0.
5.Routing takes place, and the router sends this traffic out the fa0/1 interface. As this occurs, the source IP address is translated since it has traversed both a NAT inside and outside interface.
6.The ISP notes the destination address (65.32.15.x) is routed back out the same interface it came in on, and the traffic comes back to the fa0/1 interface.
7.Since fa0/1 is a NAT outside interface, the source and destination addresses are translated. The packet now has a source of 192.168.x.x and a destination of 192.168.3.x.
8. The Web Server receives the TCP request from Host 1 and, noting that it is a local address, replies directly to Host 1.
9.Host 1 receives a reply from its TCP request; however, since it receives it from 192.168.3.x and not 63.32.15.x as it was expecting, it drops the packet.
The way to solve this problem is to use an internal DNS server or set up host files on all your internal users.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide