08-12-2010 01:30 PM - edited 03-04-2019 09:24 AM
Hello
I'm trying to enable access to web servers and other things from the lan using the WAN IP,
Currently pinging the wan ip does not reply. External access to the resources is working correctly.
any help would be really appreciated. Thanks
Solved! Go to Solution.
08-12-2010 04:32 PM
You could try using NAT virtual interface (NVI). Instead of having the concept of inside and outside, you only enable NAT on the interface.
Interface BVI1
ip nat enable
interface Dialer0
ip nat enable
ip nat source static tcp 192.168.0.100 25 80.159.38.225 25
Notice you remove "inside" from "ip nat inside source..."
08-12-2010 02:50 PM
James
Your question is not clear to me. When you say:" enable access to web servers and other things from the lan using the WAN IP" I am not clear whether the lan you refer to is the lan where the servers exist (in which case the communication would be direct and not involve the router) or whether the lan is remote somewhere. And if it is remote where is it?
It is also not clear what part the WAN IP plays in this.
You have not told us anything about the addressing being used (which could be part of the problem), you have not told us whether there is any access list filtering on either the interface where the servers are located or the WAN interface (which could certainly be part of the problem), or it could be a problem with routing (do the devices attempting to access the servers have correct routes to reach the servers or do the servers have routes to those devices so that responses can be returned), or it could possibly be a problem with Address Translation (which could also be part of the problem).
So if you can provide information to clarify the situation we might be able to give you better answers.
HTH
Rick
08-12-2010 03:17 PM
Thanks for the reply. I'll try to expain it a little better.
We have a server with IP 192.168.0.100
Its accessible within the LAN using its local IP address and from the outside using the global ip. Thats not a problem
The problem is that the applications on the clients are configured to access the server using the global ip address but that is not accessible from within the LAN.
is there someway to loop these requests back?
here's my config if it helps, thanks again:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging on
enable password 010101
!
no aaa new-model
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
!
!
!
!
dot11 ssid test test test
authentication open
guest-mode
!
no ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.3
ip dhcp excluded-address 192.168.0.99 192.168.0.101
!
ip dhcp pool mypool
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8 8.8.4.4
!
!
ip cef
no ip bootp server
!
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
bridge-group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no shut
!
ssid test test test
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 1
!
interface Dialer0
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxx
ppp chap password 0 xxxxxx
ppp pap sent-username xxxxx.net password 0 xxxxx
!
interface Dialer1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface BVI1
description $ES_LAN$
ip address 192.168.0.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.100 25 80.159.38.225 25 extendable
ip nat inside source static tcp 192.168.0.100 81 80.259.38.225 81 extendable
ip nat inside source static tcp 192.168.0.100 1352 80.259.38.225 1352 extendable
ip nat inside source static tcp 192.168.0.100 8889 80.259.38.225 8889 extendable
ip nat inside source static tcp 192.168.0.101 10996 80.259.38.225 10996 extendable
ip nat inside source static tcp 192.168.0.100 25017 80.259.38.225 25017 extendable
ip nat inside source static tcp 192.168.0.99 58000 80.259.38.225 58000 extendable
!
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 2 protocol ip permit
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
exec-timeout 0 0
no modem enable
speed 115200
line aux 0
line vty 0 4
password 010101
login
!
scheduler max-task-time 5000
end
08-12-2010 04:32 PM
You could try using NAT virtual interface (NVI). Instead of having the concept of inside and outside, you only enable NAT on the interface.
Interface BVI1
ip nat enable
interface Dialer0
ip nat enable
ip nat source static tcp 192.168.0.100 25 80.159.38.225 25
Notice you remove "inside" from "ip nat inside source..."
08-12-2010 05:43 PM
Thanks very much,. That seems to resolve the issue. Been pulling my hair out.
Thanks again all
08-12-2010 05:35 PM
Maybe you could try this solution: don't connect directly to IP address - connect to the hostname (FQDN). And make sure your (split-brain) DNS is configured correctly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide