cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1600
Views
0
Helpful
5
Replies

Hairpin Help - 887VA

sjsteve33171
Level 1
Level 1

Hi,

 

I’ve been looking around and can’t find a suitable solution or one I can understand and get the commands right and work.

 

The short of it is I’m hosting 3 VM’s at my house behind a 887vam. Outside the LAN I can access the services fine. Inside the lan I can not access them via the public DNS name but can via the internal IP.

 

What I need is to go to http://domain.com and get the page required when inside the LAN. As mentioned I’ve searched before asking but I can’t seem to get it right!

 

Someone please help?

 

Config:


Building configuration...

Current configuration : 5567 bytes
!
! Last configuration change at 20:30:23 UTC Wed Aug 14 2019 by cisco
! NVRAM config last updated at 20:30:25 UTC Wed Aug 14 2019 by cisco
! NVRAM config last updated at 20:30:25 UTC Wed Aug 14 2019 by cisco
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SteveHome
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-875695804
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-875695804
revocation-check none
rsakeypair TP-self-signed-875695804
!
!
crypto pki certificate chain TP-self-signed-875695804
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 38373536 39353830 34301E17 0D313930 38313432 30303331
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3837 35363935
38303430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B0570E37 FD347B08 6F3C47BF 7DF5FAF7 B7A6C7D0 3BCD34F0 AF879EAB 0FB1A8D5
FA5317B2 793A6D1E 7E18CDF5 5EAF6986 0CC06777 D7BEEC38 CC7473AC 496A6953
7F4E645D 7DE56AA1 5777E9B9 37DDA0E8 007E98D0 7451D6C9 5F16BB21 2542F547
734F5A02 8F68BFEE A32E60A5 BA763D8F D2081E72 DB3C08A2 8251997E 1D50EB67
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 1680146B B9B8EF57 863D2423 A4A44994 E0158811 B87EE630 1D060355
1D0E0416 04146BB9 B8EF5786 3D2423A4 A44994E0 158811B8 7EE6300D 06092A86
4886F70D 01010505 00038181 006AE881 C98C21DC BC5E9F0F 47D2F6B3 AAC4E5AB
FA62E70B 53481C6F 7DAA77C7 78DDB109 89279362 8E27488A 0AF7C802 AF372C07
82F58987 09A73DA0 4F22BDD3 69171808 CCDFCBC2 EF810176 C570B7BB 6CFA4100
C16B79E4 8B8EE297 28B7607E 7201522A 168178DE 4B3956E7 6E393C9D 05B20901
EB744369 197268B6 F96DCBD3 53
quit
!
!
!
ip dhcp excluded-address 172.16.9.1 172.16.9.20
!
ip dhcp pool Home
import all
network 172.16.9.0 255.255.255.0
default-router 172.16.9.1
dns-server 172.16.9.5 8.8.8.8 8.8.4.4
lease 0 8
!
ip dhcp pool UniFi
host 172.16.9.4 255.255.255.0
hardware-address 000c.297d.69ff
!
ip dhcp pool pi-hole
host 172.16.9.5 255.255.255.0
hardware-address 000c.29d3.1af5
!
!
!
ip name-server 172.16.9.5
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username ****** privilege 15 password 0 ******
!
!
!
!
!
controller VDSL 0
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 172.16.9.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication pap chap ms-chap callin
ppp chap hostname *******
ppp chap password 0 ******
ppp ipcp address accept
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat pool Pi-Hole 172.16.9.5 172.16.9.5 netmask 255.255.255.0 type rotary
ip nat pool UniFi-WiFi 172.16.9.4 172.16.9.4 netmask 255.255.255.0 type rotary
ip nat pool 3cx 172.16.9.6 172.16.9.6 netmask 255.255.255.0 type rotary
ip nat inside source list NAT interface Dialer1 overload
ip nat inside destination list 100 pool UniFi-WiFi
ip nat inside destination list 101 pool Pi-Hole
ip nat inside destination list 102 pool 3cx
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
ip access-list extended NAT
permit ip 172.16.9.0 0.0.0.255 any
!
!
access-list 100 permit tcp any any eq 8080
access-list 100 permit tcp any any eq 8443
access-list 100 permit tcp any any eq 8880
access-list 100 permit tcp any any eq 8843
access-list 100 permit tcp any any eq 8883
access-list 100 permit tcp any any eq 6789
access-list 100 permit udp any any eq 3478
access-list 100 permit udp any any eq 1900
access-list 100 permit udp any any eq 10001
access-list 100 permit udp any any range 5656 5699
access-list 101 permit tcp any any eq www
access-list 102 permit tcp any any eq 443
access-list 102 permit tcp any any eq 5060
access-list 102 permit udp any any eq 5060
access-list 102 permit tcp any any eq 5090
access-list 102 permit udp any any eq 5090
access-list 102 permit udp any any range 9000 10999
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 600 0
password ******
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
ntp source Dialer1
ntp server 0.uk.pool.ntp.org
ntp server 2.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
ntp server 3.uk.pool.ntp.org
!
end

5 Replies 5

As always, there are multiple ways to achieve that. I would:

  • enable the DNS-server on the router
  • configure the DNS-server with the needed FQDNs and the internal IPs
  • configure the DNS-server with public upstream servers (like OpenDNS)
  • point your local PCs DNS to the router IP

 

! the router has IP 10.255.255.1
!
ip domain name example.com
ip host example.com ns ns.example.com
ip host rtr.example.com 10.255.255.1
ip host ns.example.com 10.255.255.1
ip host www.example.com 10.255.255.80
ip name-server 208.67.222.222
!
ip dns server
ip dns primary example.com soa ns.example.com admin.example.com 21600 900 7776000 86400

Hi Again Karsten!

 

You’ve helped me before on an ASA. Thanks for the suggestion but I can’t use it as for certain reasons i need ALL DNS traffic to go through the server on 172.16.9.5, so having the server on Cisco can’t be a route I take.

 

Good idea though. Any other suggestions?

Then it's even easier. Just add the FQDNs with internal IPs to your internal DNS-server.

 

Hello

Another option would possible to using NVI NAT instead as its symmetrical (no inside/outside regards nat order of operation) and performs routing lookup twice, it should work with you internal hosts being able to access inside web servers via it external ip.

 

in vlanl
ip nat inside
ip nat enable

int dailer 1
ip nat outside
ip nat enable

ip nat inside source list NAT interface Dialer1 overload
ip nat inside destination list 100 pool UniFi-WiFi
ip nat inside destination list 101 pool Pi-Hole
ip nat inside destination list 102 pool 3cx


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

 

Thanks for the reply im half way there, however hit a snag with these commands:

 

ip nat destination list 100 pool UniFi-WiFi
ip nat destination list 101 pool Pi-Hole
ip nat destination list 102 pool 3cx-Jenners

 

It gives me an error:

 

SteveHome(config)#ip nat destination list 100 pool UniFi-WiFi
                                         ^
% Invalid input detected at '^' marker.

SteveHome(config)#ip nat destination list 101 pool Pi-Hole
                                         ^
% Invalid input detected at '^' marker.

SteveHome(config)#ip nat destination list 102 pool 3cx-Jenners
                                         ^
% Invalid input detected at '^' marker.

 

)#ip nat ?
Stateful                       Stateful NAT configuration commands
create                         Create flow entries
inside                          Inside address translation
log                              NAT Logging
outside                       Outside address translation
piggyback-support      NAT Piggybacking Support
pool                            Define pool of addresses
portmap                      Define portmap of portranges
service                        Special translation for application using non-standard port
sip-sbc                       SIP Session Border Controller commands
source                        Source address translation
translation                   NAT translation entry configuration

 

 

Which way shall i proceed?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: