Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1944
Views
0
Helpful
5
Replies

DMZ public web and dns servers - NAT issue?

Go to solution
remi-reszka
Level 1
Level 1

‎06-25-2011 08:55 AM - edited ‎03-04-2019 12:48 PM

Hi everyone,

Need some help from you professionals on this problem. Here is the scenario:

We have a Cisco router 2901 with 10M dedicated link on Gi0/0 interface, 3 VLANs on Gi0/1 interface. The Gi0/1 is subinterfaced for default, LAN and DMZ segments.LAN is assigned 172.16.1.0/24 and DMZ 192.168.1.0/24. We host a web server (192.168.1.11) and dns server (192.168.1.18) on DMZ VLAN. On the same WAN interface we have confiugured PAT and NAT. For outside queries to DNS and WEB servers everything works fine but when we try to open the website on our web server from internal LAN, we can´t do it.

When PINGing the web server by its IP address 192.168.1.11 or by the FQDN, the requests respond fine. The domain.com and www.domain.com resolve and respond with public IP address of our WAN link as the DNS server is configured. But when we try to open http://domain.com or http://www.domain.com in the Internet browser the website does not open.

What could be the issue? Can be anything with NAT or PAT configuration?

Any suggestions please?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to remi-reszka

‎06-25-2011 11:47 AM

Hi Remi,

     It's a dns problem. The logic behind this is as follows:

     Assuming that you are trying to connect Web server from Internal. And you're using WAN ip address in Static NAT statement for web server.

1. Hosts try to get IP address of  Web server via DNS query sent to DNS server(192.168.1.18)

2. Hosts receive the Public IP address of Web server via DNS reply.

3. Hosts try to connect Web server by using Public IP address (It's IP address of WAN inteface).

4. Router does not do anything to translate ip address. You may think that hosts are trying to connect local IP address on the router. So you will get nothing or you will get the webpage of the router instead if http enabled. So it won't work.

     Assuming that you are trying to connect Web server from Internal. And you're using an ip address on the same subnet of WAN interface in Static NAT statement for web server.

1. Hosts try to get IP address of  Web server via DNS query sent to DNS server(192.168.1.18)

2. Hosts receive the Public IP address of Web server via DNS reply.

3. Hosts try to connect Web server by using Public IP address on the same subnet of WAN interface.

4. Router sends the packets out WAN interface and does NAT overload to traslate source ip address. Router handles return packets by translating the destination back to private ip addresses and then route them to Internal LAN.

5. Router doesn't do anything about Static NAT for Web server in this process and Webserver won't see any TCP/SYN packets from hosts. So It won't work.

   You may want to use hosts file or set up an internal dns pointing A records to private ip addresses.

HTH,

Toshi

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Thotsaphon Lueangwattanaphong
Level 7
Level 7

‎06-25-2011 09:39 AM

Hi,

    From internal, What happens when you open the page by using "http://192.168.1.11".  The problem should be when you connect the server with public ip address. Is the public ip address your wan interface?  Please post the configuration,excluding sensitive information.

Toshi

0 Helpful

Go to solution
remi-reszka
Level 1
Level 1
In response to Thotsaphon Lueangwattanaphong

‎06-25-2011 10:20 AM

Hi Toshi,

Thanks very much for the reply. OK, I have been running more tests. Here are the comments:

Yes I have been trying to open the website with http://192.168.1.11 and nothing, same as http://domain or http://www.domain.com.

Problem partially resolved. When I do http://192.168.1.11:8080 (which is another service) it opens just fine. What happens with http://192.168.1.11, why it does not work? Because the web server redirects http://domain.com to https://www.domain.com/subfolder/ so even if I tried to open http://192.168.1.11 it was redirecting to https://www.domain.com/subfolder/ and of course this was resolving to the public address. What I did is modified the "hosts" file for domain.com and www.domain.com to resolve to 192.168.1.11 and this works fine now.

So if we have an internal NS server that has all the A records for the domain that point to our public IP address for the web server, can it be also configured with A records pointing to the private IP address of the web server? Personally I don´t think so because there would be confusion between internal and external queris to the domain.com is that right?

Is by default that NAT on cisco router cannot resolve public to internal IP address on the same interface?

Remi

0 Helpful

Go to solution
Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to remi-reszka

‎06-25-2011 11:47 AM

Hi Remi,

     It's a dns problem. The logic behind this is as follows:

     Assuming that you are trying to connect Web server from Internal. And you're using WAN ip address in Static NAT statement for web server.

1. Hosts try to get IP address of  Web server via DNS query sent to DNS server(192.168.1.18)

2. Hosts receive the Public IP address of Web server via DNS reply.

3. Hosts try to connect Web server by using Public IP address (It's IP address of WAN inteface).

4. Router does not do anything to translate ip address. You may think that hosts are trying to connect local IP address on the router. So you will get nothing or you will get the webpage of the router instead if http enabled. So it won't work.

     Assuming that you are trying to connect Web server from Internal. And you're using an ip address on the same subnet of WAN interface in Static NAT statement for web server.

1. Hosts try to get IP address of  Web server via DNS query sent to DNS server(192.168.1.18)

2. Hosts receive the Public IP address of Web server via DNS reply.

3. Hosts try to connect Web server by using Public IP address on the same subnet of WAN interface.

4. Router sends the packets out WAN interface and does NAT overload to traslate source ip address. Router handles return packets by translating the destination back to private ip addresses and then route them to Internal LAN.

5. Router doesn't do anything about Static NAT for Web server in this process and Webserver won't see any TCP/SYN packets from hosts. So It won't work.

   You may want to use hosts file or set up an internal dns pointing A records to private ip addresses.

HTH,

Toshi

0 Helpful

Go to solution
remi-reszka
Level 1
Level 1
In response to Thotsaphon Lueangwattanaphong

‎06-25-2011 11:59 AM

Thanks Toshi for your help and effort in helping me. I rewarded you with 5 points for that.

Cheers,

Remi

0 Helpful

Go to solution
Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to remi-reszka

‎06-25-2011 12:05 PM

Hi Remi,

      I'm glad that I could help you some.

Thanks

Toshi

0 Helpful
Customers Also Viewed These Support Documents