External NAT works fine, but adresses are not reached from LAN

rpmsnepvangers · ‎09-13-2008

Hello,

We are using a Cisco 1841 router for internet access. We created NAT for our webservers (http and https). Our websites can be reached from the WAN. Now we can not access our https website from the LAN (using the WAN IP adress).

Config:

interface FastEthernet0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/0.1

description DataVLAN

encapsulation dot1Q 1 native

ip address 10.0.0.3 255.255.255.0

no ip redirects

ip nat inside

no snmp trap link-status

no cdp enable

!

interface FastEthernet0/0.10

description VoiceVLAN

encapsulation dot1Q 10

ip address 10.0.10.3 255.255.255.0

no ip redirects

ip nat inside

no snmp trap link-status

no cdp enable

!

interface FastEthernet0/1

description WAN

bandwidth 10000

ip address A.B.C.D 255.255.255.192

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip route-cache flow

duplex auto

speed auto

no mop enabled

service-policy output SDM-QoS-Policy-1

ip classless

ip route 0.0.0.0 0.0.0.0 A.B.C.D. permanent

!

ip http server

ip http authentication local

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat translation timeout 200

no ip nat service skinny tcp port 2000

no ip nat service sip udp port 5060

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source list 2 interface FastEthernet0/1 overload

ip nat inside source static tcp 10.0.0.24 4673 interface FastEthernet0/1 4673

ip nat inside source static tcp 10.0.0.24 4663 interface FastEthernet0/1 4663

ip nat inside source static udp 10.0.0.24 4674 interface FastEthernet0/1 4674

ip nat inside source static tcp 10.0.0.6 80 interface FastEthernet0/1 8080

ip nat inside source static tcp 10.0.0.24 3389 interface FastEthernet0/1 50697

ip nat inside source static tcp 10.0.0.1 3389 interface FastEthernet0/1 3390

ip nat inside source static tcp 10.0.0.75 3389 interface FastEthernet0/1 26681

ip nat inside source static tcp 10.0.0.96 3389 interface FastEthernet0/1 48419

ip nat inside source static tcp 10.0.0.6 3389 interface FastEthernet0/1 3389

ip nat inside source static tcp 10.0.0.2 3389 interface FastEthernet0/1 7676

ip nat inside source static tcp 10.0.0.5 25 interface FastEthernet0/1 25

ip nat inside source static tcp 10.0.0.5 4822 interface FastEthernet0/1 4822

ip nat inside source static tcp 10.0.0.1 3690 interface FastEthernet0/1 3690

ip nat inside source static tcp 10.0.0.5 443 interface FastEthernet0/1 443

ip nat inside source static tcp 10.0.0.13 80 interface FastEthernet0/1 80

ip nat inside source static tcp 10.0.0.6 21 interface FastEthernet0/1 21

Can somebody give my a hand??

Greetz Richard

Giuseppe Larosa · ‎09-13-2008

Hello Richard,

I'm not sure I've understood your issue.

I see that you have configured several nat static statements for your internal servers and you say they work: that from internet you can access these services.

Then you say that you cannot access from the lan (the nat inside I guess) the https server by using the wan ip address.

Nat works by classifying interfaces in inside and outside with a precise meaning: only traffic that crosses a pair of interfaces one inside and one outside is translated.

So when you try to access your https from inside you have to use the real internal (inside local) ip address to access it not the address that will be used when accessing from the outer world.

Hope to help

Giuseppe

rpmsnepvangers · ‎09-13-2008

Hello Giuseppe, you have understood my issue correctly.

The problem is that some applications are always using the same (internet) address. When we are working inside (lan) or outside (wan). Is there some way to resolve this problem??

thank you in advance

Richard

Giuseppe Larosa · ‎09-13-2008

Hello Richard,

this is more a DNS issue I suppose.

A possible fix could be that of using the hosts file in the devices to provide the local inside entry.

(if linux based otherwise the file should be the lmhosts in a windows machine)

Thanks for your kind remarks

Hope to help

Giuseppe

rpmsnepvangers · ‎09-13-2008

Hello Guiseppe,

I know this normaly is a dns issue. But before we used an other internet router. With this router everything worked fine. So i thought to solve it in the router and not DNS. I don't know everything about DNS. I don't know if DNS can 'route' on specific ports. I have 5 or 6 servers that work on several ports.

thank you for your help

Richard

Mayby I can use a virtual nat interface?

RanilG · ‎09-14-2008

Hi,

Is it working with http?

rpmsnepvangers · ‎09-15-2008

from wan: http://sap.abcd.nl connects to the webserver.

from lan: http://sap.abcd.nl connects to the 1841 router.

This address is not configured in DNS. Before we used the 1841 router, all traffic from the lan to http://sap.abcd.nl connected to the webserver trough WAN.

lubarbier · ‎09-15-2008

Hi,

have you tried to reach the server by typing the ip address ? (http://@ip)

LB

rpmsnepvangers · ‎09-16-2008

same result: not possible

steve_steele · ‎09-16-2008

I think that you can do it using split DNS.

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htspldns.html#wp1405225

Configure all internal clients to use the router as the dns server.

Configure the router to forward dns queries to your current dns server.

Configure the router with a static dns entry pointing to the local internal ip address of the web server.

HTH

Steve