07-09-2012 10:11 AM - edited 03-04-2019 04:55 PM
I'm trying to get (what I'm guessing is) inside NAT to NAT working. The users need to be able to RDP to a term serv by using the external WAN IP address only. So whether they are internal or external, they would use the WAN IP to access the terminal server (never using the local IP).
This would be pretty simple with an internal DNS Server, but we are using ISP provided DNS through our router. Google has lead me to believe that the command "ip nat inside source static 10.0.0.5 1.2.3.4" should work, but it doesn't. In fact, when I add it in there, I lose a lot of routing capability. The following are the NAT rules I have setup so far
ip nat inside source route-map nonat interface FastEthernet4 overload
ip nat inside source static tcp 10.0.0.2 443 1.2.3.4 443 extendable
ip nat inside source static tcp 10.0.0.5 3389 1.2.3.4 3389 extendable
After doing some googling for the last couple of days, I have tried and failed every method I've found. I attempted to setup a NAT Virtual Interface as mentioned on this post http://community.plus.net/forum/index.php?action=printpage;topic=75490.0, but once I removed the "ip nat inside source route-map nonat interface FastEthernet4 overload", I lost all new connections (seemingly because I had just disabled NAT somehow).
Any help would be greatly appreciated.
EDIT: Uploaded my current running config. If I ended up censoring something relavent, let me know.
07-09-2012 10:35 AM
Hi,,
this is called hairpinning( accessing an inside server which is natted by its natted adress from inside) and it is not available on Cisco routers but normally dns rewrite is available by default on Cisco routers and so if the external IP has a dns record on an external server then you should be able to access the serve by name from inside or outside.
Regards.
Alain
Don't forget to rate helpful posts.
07-09-2012 10:40 AM
I believe we have an 800 series router and I had run across some posts referring to Hairpinning and it being a feature ASA(I think). However, a number of other posts seem to think it was possible on the routers (such as the link I mentioned in my original post). If that's not the case, then I'll let me client know and we'll move-on.
Also, unfortunately there is no domain for this client. Everything is solely IP based.
07-10-2012 06:52 AM
For those interested, I was able to resolve this problem using an 881 without any internal DNS solutions. I employed Cisco's NVI (Nat Virtual Interface) but had to add a "no ip redirect" to each interface with an IP address assigned to it.
Removed "ip nat outside/inside" from both interfaces and added "ip nat enable" and "no ip redirect". Added "ip nat source list INSIDE interface FastEthernet4 overload" and removed "ip nat inside source route-map nonat interface FastEthernet4 overload". I then copied the access-lists from "nonat" and added them into a new access-list called INSIDE.
Hopefully anyone else who has this problem may stumble upon this post and be able to resolve it with less google-fu than I needed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide