Solved: Re: Access to the external ip from the local network

Jame · ‎07-21-2022

Greetings colleagues

I ran into the following problem, I have two local subnet, office users are in the network 192.168.15.0/24 and also have a network DMZ 192.168.90.0/24 in which there is a web server with an IP address of 192.168.90.15.

192.168.15.0/24 >>> 5.5.5.5 (NAT Overload)
192.168.90.15 >>> 5.5.5.4 (Static NAT)

The problem is that the users from network 192.168.15.0 are trying to reach the external IP address 5.5.5.4, but they cannot connect to the web server. (At local IP address 192.168.90.15 they connect successfully)

The NVI NAT on my router (Cisco ISR 4331 IOS XE 16.6) is not supported, any idea how to get the users to connect to my web server (192.168.90.15) in DMZ at external IP address?

Attached the schematic

RUNNING CONFIG ROUTER 

interface GigabitEthernet0/0/2.15
encapsulation dot1Q 15
ip address 192.168.15.1 255.255.255.0
ip nat inside 

interface GigabitEthernet0/0/2.90
encapsulation dot1Q 90
ip address 192.168.90.1 255.255.255.0
ip nat inside 

interface GigabitEthernet0/0/1
ip address 5.5.5.5 255.255.255.240
ip nat outside

ip route 0.0.0.0 0.0.0.0 5.5.5.1

ip nat inside source list NAT-OVERLOAD interface GigabitEthernet0/0/1 overload

ip access-list extended NAT-OVERLOAD

10 permit ip 192.168.15.0 0.0.0.255 any

ip nat name ~~~WEB-SERVER~~~ inside source static 192.168.90.15  5.5.5.4

paul driver · ‎07-21-2022

Hello
You can hairpin to that DMZ public address.
Review attached file.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Jame · ‎07-22-2022

Sorry, your solution really works! I am not much confused, with interface 0/2.90, you specified

no ip outside

although it should be inside.

I am attaching a working configuration, maybe someone will need it

ROUTER CONFIG

interface Loopback0
description --- NAT-HAIRPING
ip address 169.254.255.254 255.255.255.255
ip nat inside
!
interface GigabitEthernet0/1
--- WAN
ip address 5.5.5.5 255.255.255.240
ip nat outside
!
interface GigabitEthernet0/2
no sh 
!
interface GigabitEthernet0/2.15
description --- USERS
encapsulation dot1Q 15
ip address 192.168.15.1 255.255.255.0
ip nat outside
ip policy route-map PBR
!
interface GigabitEthernet0/2.90
description --- DMZ
encapsulation dot1Q 90
ip address 192.168.90.1 255.255.255.0
ip nat inside
!
ip nat inside source list NAT-HAIRPING interface GigabitEthernet0/1 overload
ip nat inside source list NAT-OVERLOAD interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.90.15 5.5.5.4 extendable
ip route 0.0.0.0 0.0.0.0 5.5.5.1
!
ip access-list extended NAT-HAIRPING
permit ip 192.168.15.0 0.0.0.255 host 192.168.90.15
permit ip 192.168.90.0 0.0.0.255 host 192.168.90.15
!
ip access-list extended NAT-OVERLOAD
deny ip 192.168.15.0 0.0.0.255 192.168.15.0 0.0.0.255
deny ip 192.168.90.0 0.0.0.255 192.168.90.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 any
permit ip 192.168.90.0 0.0.0.255 any
!
route-map PBR permit 10
set interface Loopback0

View solution in original post

MHM Cisco World · ‎07-21-2022

I will do small lab and update you

Jame · ‎07-21-2022

Thanks, man! I look forward to hearing from you.

JeraldAlfonso · ‎07-21-2022

I've been working with networks for 15 years, you can trust me. It's impossible to do that.

paul driver · ‎07-21-2022

Hello
You can hairpin to that DMZ public address.
Review attached file.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Jame · ‎07-21-2022

Yes, it worked, but now users on network 192.168.15.0 cannot access the Internet

paul driver · ‎07-21-2022

Hello
Can you post the configuration as it is currrently please

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Jame · ‎07-22-2022

Sorry, your solution really works! I am not much confused, with interface 0/2.90, you specified

no ip outside

although it should be inside.

I am attaching a working configuration, maybe someone will need it

ROUTER CONFIG

interface Loopback0
description --- NAT-HAIRPING
ip address 169.254.255.254 255.255.255.255
ip nat inside
!
interface GigabitEthernet0/1
--- WAN
ip address 5.5.5.5 255.255.255.240
ip nat outside
!
interface GigabitEthernet0/2
no sh 
!
interface GigabitEthernet0/2.15
description --- USERS
encapsulation dot1Q 15
ip address 192.168.15.1 255.255.255.0
ip nat outside
ip policy route-map PBR
!
interface GigabitEthernet0/2.90
description --- DMZ
encapsulation dot1Q 90
ip address 192.168.90.1 255.255.255.0
ip nat inside
!
ip nat inside source list NAT-HAIRPING interface GigabitEthernet0/1 overload
ip nat inside source list NAT-OVERLOAD interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.90.15 5.5.5.4 extendable
ip route 0.0.0.0 0.0.0.0 5.5.5.1
!
ip access-list extended NAT-HAIRPING
permit ip 192.168.15.0 0.0.0.255 host 192.168.90.15
permit ip 192.168.90.0 0.0.0.255 host 192.168.90.15
!
ip access-list extended NAT-OVERLOAD
deny ip 192.168.15.0 0.0.0.255 192.168.15.0 0.0.0.255
deny ip 192.168.90.0 0.0.0.255 192.168.90.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 any
permit ip 192.168.90.0 0.0.0.255 any
!
route-map PBR permit 10
set interface Loopback0

Jame · ‎07-22-2022

I found an even simpler solution, by removing PBR and Loopback in my case it turned out to be possible to bypass the simple deny of networks in the ACL "NAT-OVERLOAD"

NEW SOLUTION

interface GigabitEthernet0/2.15
description --- USERS
encapsulation dot1Q 15
ip address 192.168.15.1 255.255.255.0
ip nat outside
!
interface GigabitEthernet0/2.90
description --- DMZ
encapsulation dot1Q 90
ip address 192.168.90.1 255.255.255.0
ip nat inside

ip nat inside source list NAT-OVERLOAD interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.90.15 5.5.5.4 extendable
ip route 0.0.0.0 0.0.0.0 5.5.5.1

ip access-list extended NAT-OVERLOAD
deny ip 192.168.15.0 0.0.0.255 192.168.15.0 0.0.0.255
deny ip 192.168.90.0 0.0.0.255 192.168.90.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 any
permit ip 192.168.90.0 0.0.0.255 any

Georg Pauwen · ‎07-21-2022

Hello,

for non-NVI NAT capable routers, the config below should work (added configuration parts are marked in bold

interface Loopback0
ip address 1.1.1.1 255.255.255.252
ip nat outside
ip policy route-map LOOP_OUT_RM
!
interface Loopback1
ip address 2.2.2.2 255.255.255.255
ip nat outside
!
interface GigabitEthernet0/0/2.15
encapsulation dot1Q 15
ip address 192.168.15.1 255.255.255.0
ip nat inside

interface GigabitEthernet0/0/2.90
encapsulation dot1Q 90
ip address 192.168.90.1 255.255.255.0
ip nat inside 
ip policy route-map IN_OUT_RM

interface GigabitEthernet0/0/1
ip address 5.5.5.5 255.255.255.240
ip policy route-map OUT_IN_RM

ip route 0.0.0.0 0.0.0.0 5.5.5.1
!
ip nat pool LAN_HOSTS_NAT_POOL 5.5.5.4 5.5.5.4 prefix-length 28
ip nat inside source list LAN_HOSTS_ACL pool LAN_HOSTS_NAT_POOL overload
ip nat inside source static 192.168.90.15 5.5.5.4 extendable
ip nat inside source list NAT-OVERLOAD interface GigabitEthernet0/0/1 overload
!
ip access-list extended LAN_HOSTS_ACL
permit ip host 192.168.90.15 any
ip access-list extended LAN_HOSTS_NAT_SRC
permit ip host 5.5.5.4 any
ip access-list extended LAN__HOSTS_NAT_DST
permit ip any host 5.5.5.4
ip access-list extended NAT-OVERLOAD
10 permit ip 192.168.15.0 0.0.0.255 any
ip nat name ~~~WEB-SERVER~~~ inside source static 192.168.90.15 5.5.5.4
!
route-map LOOP_OUT_RM permit 10
match ip address LAN_HOSTS_NAT_SRC
set interface GigabitEthernet0/0/1
!
route-map IN_OUT_RM permit 10
match ip address LAN_HOSTS_ACL
set interface Loopback0
!
route-map OUT_IN_RM permit 10
match ip address LAN_HOSTS_NAT_DST
set interface Loopback1

Jame · ‎07-22-2022

This solution does not work

Attached the configuration.

Georg Pauwen · ‎07-22-2022

Hello,

you did not configure it the way I suggested. Make the change marked in bold:

interface GigabitEthernet0/1
ip address 5.5.5.5 255.255.255.240
--> no ip nat outside
no ip virtual-reassembly in
ip policy route-map OUT_IN_RM
duplex auto
speed auto
media-type rj45

--> no ip nat inside source list NAT-OVERLOAD interface GigabitEthernet0/1 overload