Re: Dynamic DNS resolving to internal router web site

amoge0123 · ‎08-29-2010

Hello all,

I am using Cisco 877W to connect my home network to the Internet.

Using dynamic DNS (DYNDNS.ORG) I have configured a web site on a Windows server to be redirected to port 443 on this server. Instead of this, what I get is the CP express website that shipped with the router. If I disable the internal router web site with the command:

no ip http secure-server

no web page is displayed using dyndns hostname.

Why is the Windows website not being displayed as I specified in the NAT configuration? I had no problem with this when I was using the router provided by my ISP.

Any help is appreciated.

Federico Coto Fajardo · ‎08-29-2010

Hi,

If you do an nslookup DOMAIN_NAME for the web server it resolves to the public IP correct?

If you open a browser and go to that site or try https://public_IP then you get the router's HTTP page?

The router should redirect port 443 to the internal web server if your NAT configuration is correct.

Could you post the relevant configuration for NAT?

Federico.

amoge0123 · ‎08-30-2010

Hi Federico,

Your analysis is correct.

Below is NAT and dyndns configuration:

access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 172.16.1.10
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 172.16.1.10
class-map type inspect match-all sdm-nat-https-3
match access-group 103
match protocol https
exit
class-map type inspect match-all sdm-nat-ftp-2
match access-group 104
match protocol ftp
exit
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-https-3
no drop
inspect
exit
class type inspect sdm-nat-https-3
no drop
inspect
exit
class type inspect sdm-nat-https-3
no drop
inspect
exit
class type inspect sdm-nat-ftp-2
no drop
inspect
exit
class type inspect sdm-nat-ftp-2
no drop
inspect
exit
class type inspect sdm-nat-ftp-2
no drop
inspect
exit
exit
interface Vlan1
ip nat inside
exit
ip nat inside source static tcp 172.16.1.10 443 interface Dialer0 443
ip nat inside source static tcp 172.16.1.10 21 interface Dialer0 21

ip ddns update method sdm_ddns1
no DDNS both
HTTP
add http://xxxxxxx:xxxxxxx@members.dyndns.org/nic/update?system=dyndns&hostname=&myip=>
remove http://xxxxxxx:xxxxxxx@members.dyndns.org/nic/update?system=dyndns&hostname=&myip=>
exit
exit

Federico Coto Fajardo · ‎08-30-2010

You have the ip nat inside command on VLAN 1 where 172.16.1.10 resides.
Do you have the ip nat outside command on Dialer0?

The reason I ask is because the request on port 443 is getting to the router but
seems to not be redirected internally.

If you do have the command do the following test:

ip access-list extended in-443
permit tcp any host 172.16.1.10 eq 443
permit ip any any

interface vlan 1
ip access-group in-443 out

And check if the hitcounts on the ACL in-443 increment everytime you open a browser
and try to get to the public IP on port 443.

sh access-list in-443

If you see hitcounts incrementing, the router is indeed redirecting the packets to the
internal server.
We will need to check if they're coming back.

Federico.

amoge0123 · ‎10-03-2010

Well, it turns out the router was correctly resolving the dynamic DNS mapping after all. Last Friday while at work and quite by chance I entered the web URL into the browser and it returned the website running on the internal server in my home network!

The problem therefore was that the router resolved to the correct address when the web page was requested outside the network but resolved the same URL to the router's internal website when requested from inside the network. The router is in effect doing what it has been configured to do.

What I would like to know is how to get the router to also resolve to the dynamically mapped address when the website request is from internal.

With what configuration could this be achieved? Of course if you are on the server locally and you typed https://172.16.1.10:443, the website also loadts correctly.

Thanks