Re: Accessing local server using public IP within the network

hirani89 · ‎03-02-2021

Hi,

I want to access a server using the public IP from the same internal network.

Please the config below

ip dhcp excluded-address 192.168.0.1 192.168.0.100
ip dhcp excluded-address 192.168.3.1

ip dhcp pool HOME
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 dns-server 1.1.1.1 1.0.0.1

ip dhcp pool WIN
 host 192.168.0.22 255.255.255.0
 client-identifier 01d4.3d7e.18d9.ce

ip dhcp pool WIN2
 host 192.168.0.247 255.255.255.0
 client-identifier 0152.5400.45da.74

ip dhcp pool Solar
 host 192.168.0.253 255.255.255.0
 client-identifier 01c8.9346.3250.e8

ip dhcp pool Tank-Level
 host 192.168.0.243 255.255.255.0
 client-identifier 018c.aab5.8b8e.40

ip dhcp pool OctoPrint
 host 192.168.0.229 255.255.255.0
 client-identifier 01dc.a632.2ce3.8c

ip domain name mydomain.com
no ipv6 cef

multilink bundle-name authenticated

license udi pid CISCO2921/K9 sn FGL1813118M

username admin privilege 15 secret 4 HJuTQycLGFn/1VtTta/OeXqUIqQROubxT/D40OGFs0c

redundancy

ip ssh version 2

interface Embedded-Service-Engine0/0
 no ip address
 shutdown

interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto

interface GigabitEthernet0/0.100
 description -Ethernet WAN-
 encapsulation dot1Q 100
 ip address pub.lic.add.ress 255.255.255.252
 ip nat outside
 ip virtual-reassembly in

interface GigabitEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto

interface GigabitEthernet0/2
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto

ip default-gateway gate.way.add.ress
ip forward-protocol nd

no ip http server
no ip http secure-server

ip dns server
ip nat inside source list NAT interface GigabitEthernet0/0.100 overload
ip nat inside source static udp 192.168.0.30 80 interface GigabitEthernet0/0.100 80
ip nat inside source static tcp 192.168.0.30 80 interface GigabitEthernet0/0.100 80
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.100 gate.way.add.ress
ip route 192.168.2.0 255.255.255.0 192.168.3.2

ip access-list standard IoT
 permit 192.168.2.0 0.0.0.255

ip access-list extended NAT
 permit ip 192.168.0.0 0.0.0.255 any

control-plane

line con 0
 logging synchronous
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 5 0
 login local
 transport input ssh

scheduler allocate 20000 1000

I want access 192.168.0.30 using pub.lic.add.ress from with in the network. I have tested the port forwarding. I am able to access the server from another network.

balaji.bandi · ‎03-03-2021

why not have local DNS Entry to access internally? (rather complicate engineering) ?

if the above case not workable what is the challenge here?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎03-03-2021

Hello,

what you need is NAT hairpinning. Make the changes/additions marked in bold:

ip dhcp excluded-address 192.168.0.1 192.168.0.100
ip dhcp excluded-address 192.168.3.1
!
ip dhcp pool HOME
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 1.1.1.1 1.0.0.1
!
ip dhcp pool WIN
host 192.168.0.22 255.255.255.0
client-identifier 01d4.3d7e.18d9.ce
!
ip dhcp pool WIN2
host 192.168.0.247 255.255.255.0
client-identifier 0152.5400.45da.74
!
ip dhcp pool Solar
host 192.168.0.253 255.255.255.0
client-identifier 01c8.9346.3250.e8
!
ip dhcp pool Tank-Level
host 192.168.0.243 255.255.255.0
client-identifier 018c.aab5.8b8e.40
!
ip dhcp pool OctoPrint
host 192.168.0.229 255.255.255.0
client-identifier 01dc.a632.2ce3.8c
!
ip domain name mydomain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2921/K9 sn FGL1813118M
!
username admin privilege 15 secret 4 HJuTQycLGFn/1VtTta/OeXqUIqQROubxT/D40OGFs0c
!
redundancy
!
ip ssh version 2
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
--> interface Loopback0
--> ip address 169.254.1.1 255.255.255.255
--> ip nat inside
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.100
description -Ethernet WAN-
encapsulation dot1Q 100
ip address pub.lic.add.ress 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.0
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 192.168.3.1 255.255.255.0
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
duplex auto
speed auto
!
ip default-gateway gate.way.add.ress
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
--> ip nat inside source list NAT_ACL interface GigabitEthernet0/0.100 overload
--> ip nat inside source list NAT_HAIRPIN_ACL interface Loopback0 overload
ip nat inside source static udp 192.168.0.30 80 interface GigabitEthernet0/0.100 80
ip nat inside source static tcp 192.168.0.30 80 interface GigabitEthernet0/0.100 80
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.100 gate.way.add.ress
ip route 192.168.2.0 255.255.255.0 192.168.3.2
!
ip access-list standard IoT
permit 192.168.2.0 0.0.0.255
!
--> ip access-list extended NAT_ACL
--> deny ip 192.168.0.1 0.0.0.255 192.168.0.1 0.0.0.255
--> deny ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255
--> permit ip 192.168.0.1 0.0.0.255 any
--> permit ip 192.168.3.0 0.0.0.255 any
!
--> ip access-list extended NAT_HAIRPIN_ACL
--> permit ip 192.168.0.1 0.0.0.255 host 192.168.0.30
--> permit ip 192.168.3.0 0.0.0.255 host 192.168.0.30
!
--> route-map PBR_NAT_RM permit 10
--> set interface Loopback0
control-plane

line con 0
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 5 0
login local
transport input ssh
!
scheduler allocate 20000 1000

paul driver · ‎03-03-2021

Hello

@hirani89 wrote:

Hi,

I want access 192.168.0.30 using pub.lic.add.ress from with in the network. I have tested the port forwarding. I am able to access the server from another network.

You have two options:
Domainless nat
int gig0/1
no ip nat inside
ip nat enable
no ip redirects

int gig0/0.100
no ip nat outside
no ip redirects
ip nat enable

no ip nat inside source list NAT interface GigabitEthernet0/0.100 overload
no ip nat inside source static udp 192.168.0.30 80 interface GigabitEthernet0/0.100 80
no ip nat inside source static tcp 192.168.0.30 80 interface GigabitEthernet0/0.100 80

ip nat source list NAT interface GigabitEthernet0/0.100 overload
ip nat source static udp 192.168.0.30 80 interface GigabitEthernet0/0.100 80
ip nat source static tcp 192.168.0.30 80 interface GigabitEthernet0/0.100 80

Hairping Nat

int loopback 100
description hairpin
ip address 169.254.255.254 255.255.255.255
ip nat inside

route-map NAT_PBR
set interface loopback 100

int gig0/0.100
ip nat outside

ip access-list extended NAT
5 deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255

ip access-list NatPin
permit ip 192.168.0.0 0.0.0.255 host 192.168.1.30

int gig0/1
ip nat outside
no ip redirects
ip policy-route NAT_PBR

ip nat inside source list NAT interface GigabitEthernet0/0.100 overload
ip nat inside source list NatPin interface loopback100

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul