Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
293
Views
5
Helpful
3
Replies

DMZ and return traffic

rasoftware
Level 1
Level 1

‎02-09-2006 08:22 AM - edited ‎03-03-2019 11:42 AM

I have configured a router with a WAN interface and two LAN interfaces. One LAN interface is 10.x.x.x network and the other is a 172.x.x.x network. I have a web server located ont the 172 network. I have enabled a second routable IP and access-list to allow port 80 to be visilble from the internet and access the web server on 172.x.x.x. I can access this fine from external addresses. When I try to connect from the 10.x.x.x network to the NATT'd public address its not possible. I can connect to the 172.x.x.x network from the 10.x.x.x but I need to close all connections from 10 - 172 network as per customers request. Is it possible to access this NAT;d address or this there some issue with traffic going out of the WAN interface then back in? I see no ACL which is stopping this but maybe the router isnt allowing it?

Labels:
0 Helpful
3 Replies 3

Patrick Laidlaw
Level 4
Level 4

‎02-09-2006 12:28 PM

Hello, You should be able to access the Natted address if its setup as a static. You may need to add a couple of things. If you could post your config it would be much easier to help you.

Patrick

0 Helpful

rasoftware
Level 1
Level 1
In response to Patrick Laidlaw

‎02-10-2006 02:05 AM

See attached config. Basically outside interface dialer1 (1.1.1.241) assigned address and used for PAT from 10.0.129.0 network and 1.1.1.242 maps to DMZ 172.16.0.2 (static). This works fine when accessing the network from any internet address. It will not work when accessing from the LAN to DMZ outside address. Is is this firewall not allowing return traffic?

16599-forcisco
0 Helpful

mheusinger
Level 10
Level 10
In response to rasoftware

‎02-10-2006 03:07 AM

Hello,

NAT translations are only performed in case:

1) IP packet enters through an interface with "ip nat inside"

2) IP packet leaves through an interface with "ip nat outside"

3) the IP packet matches the NAT "description"

OR

1) the IP packet enters through an interface with "ip nat outside"

2) there is a NAT translation for the destination address

What I assume is happening in your case: the packets from the PC enter the router and then the destination address is checked against the IP routing table. The router will see that the address is directly connected to Dialer1 and send it out through dialer1 to the ISP after PAT, i.e. source IP is 1.1.1.241 then.

The first thing to check is, whether you get a NAT translation entry when you ping 1.1.1.242 from a PC.

The ISP might (does he?) just send the IP packet back and then the destination is NATed to 172.16.0.2 and it reaches the server. The server will send the answer to the router with a destination IP of 1.1.1.241. But now the problem arises, that the destination address is 1.1.1.241 AND the NAT table is not consulted, because it enters the router through an interface with "ip nat inside". So the translation back to 172... does not happen - no connectivity.

What you can do is simply to define an entry in lmhosts of each PC to map the real server IP of 172.16.0.2 to the DNS name. Make sure to set the PCs to lookup the local hosts file before issuing a DNS request to the ISP.

This way the communication between the PCs and the server will not involve NAT at all and the router config can just stay as it is. No messy/complicated workarounds are needed in the router.

Hope this helps! Please rate all posts.

Regards, Martin

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card