cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10682
Views
5
Helpful
25
Replies

IP NAT INSIDE VLAN Hostname Resolution Issue

epcomworld
Level 1
Level 1

I am not sure if using IP NAT inside static or destination could fix this issue.  We are having issues with clients within the VLAN using hostname resolution to access applications all on the SAME static IP from being able to access the pages from within the vlan, but works fine over the external LAN for all external global users.  NSlookup shows the public IP Address when checking the hostname, but the VLAN machines are unable to access it - it's not translating back to the internal address etc.

 

ip nat inside source route-map FE0_General_Failover interface FastEthernet0 overload
ip nat inside source route-map GE8_General_Failover interface GigabitEthernet8 overload
ip nat inside source static tcp 192.168.0.200 81 55.55.55.55 81 extendable
ip nat inside source static tcp 192.168.0.201 443 55.55.55.55 443 extendable
ip nat inside source static tcp 192.168.0.202 8040 55.55.55.55 8040 extendable
ip nat inside source static tcp 192.168.0.202 8041 55.55.55.55 8041 extendable
ip nat inside source static tcp 192.168.0.203 8250 55.55.55.55 8250 extendable (static IP has bee updated in the above example).

route-map GE8_General_Failover permit 1
match ip address 1
match interface GigabitEthernet8
!
route-map FE0_General_Failover permit 1
match ip address 1
match interface FastEthernet0

 

Basically - we have ports opened so applications and services can be accessed via hostname external.  An example of this is hr.mydomain.com.  All external users have no problem access the server.  However, the users in the VLAN are the ones that are not able to access the server via hostname automatically.  I know that with the DNS Server from Windows Server I can add this hostname and point it to the private IP within the VLAN.  However, not all servers are on the DNS server within the VLAN and some use public DNS Servers such as 4.2.2.2 and 8.8.8.8.  The problem here is when one of these stations goes to look up the domain it gets the public IP Address on GE8 and then it says connection timeout and the connection never works.

 

Why is the Cisco router for the NAT parameters above not taking the command from the public IP address and sending into back into the internal one.


Previously these servers were running from a cheap D-Link environemtn and it had no problem allowing the VLAN users to connect to the servers via the hostname vs. static IP Address - it knew - why isn't the Cisco knowing.

 

I have read various DNS doctoring technics, however, I cannot seem to get the router to work.

 

I just want a client within the VLAN using a public DNS Server - when it returns the public static IP Address for it to just work.  This seems to work correctly when all applications ahve their own static IP address, however, we don't have enough access from the ISP to allow for multi statics per application server, etc.  Obivously we will look into doing this, but why did the cheap D-Link make it so simple and the Cisco ISR make it so hard.

 

What is the work around to get this to work?

 

Keep me posted if you have any ideas.  Thank you.

 

Device: Cisco 891f-K9

25 Replies 25

Francesco Molino
VIP Alumni
VIP Alumni
Hi

Can you share the full config? I would like to see your acl 1 used for NAT.
Have you tried adding few lines at the top this acl to deny NAT for internal hosts to your router public IP, here IP 55.55.55.55 based on snippet given.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco,

 

As requested here is the running configuration:

 

hostname Test-Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf

!
no aaa new-model
clock timezone EST -5 0
!
!         
!
!
!
!


!
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.200 192.168.0.254
!
ip dhcp pool internal
 network 192.168.0.0 255.255.255.0
 dns-server 192.168.0.213 4.2.2.2 8.8.8.8
 domain-name test.local
 default-router 192.168.0.1
 lease 14
!
!
!
ip domain name router.testrouter.local
ip cef
no ipv6 cef
!         
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9
!

!
!
!
!
!
ip ssh version 2
!         
class-map match-all Voice
 match ip dscp ef
!
policy-map EGNVoice
 class Voice
  priority 25000
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!         
interface FastEthernet0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!         
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 description 1GBPS Fiber
 ip address 55.55.55.56 255.255.255.0 secondary
 ip address 55.55.55.55 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 service-policy output EGNVoice
!
interface Vlan1
 ip address 192.168.0.1 255.255.252.0
 ip nat inside
 ip virtual-reassembly in
!
interface Async3
 no ip address
 encapsulation slip
!
ip default-gateway 55.55.55.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map FE0_General_Failover interface FastEthernet0 overload
ip nat inside source route-map GE8_General_Failover interface GigabitEthernet8 overload
ip nat inside source static tcp 192.168.0.200 81 55.55.55.55 81 extendable
ip nat inside source static tcp 192.168.0.201 443 55.55.55.55 443 extendable
ip nat inside source static tcp 192.168.0.202 8040 55.55.55.55 8040 extendable
ip nat inside source static tcp 192.168.0.202 8041 55.55.55.55 8041 extendable
ip nat inside source static tcp 192.168.0.203 8250 55.55.55.55 8250 extendable
ip route 0.0.0.0 0.0.0.0 55.55.55.1
!
!
route-map GE8_General_Failover permit 1
 match ip address 1
 match interface GigabitEthernet8
!
route-map FE0_General_Failover permit 1
 match ip address 1
 match interface FastEthernet0
!
access-list 1 permit 192.168.0.0 0.0.3.255

 

Let me know exactly what you would like to test and I'd be more then happy to try any configuration you think would allow the internal VLAN workstations (192.168.0.0 /255.255.252.0) to access to internal servers without error messages and DNS resotluion problems when using the public DNS Servers.

 

Thank you.

Francesco Molino
VIP Alumni
VIP Alumni
Hi

I saw an email with your reply but it seems you deleted it or there's an issue with the forum.
You're using a standard acl that's:
access-list 1 permit 192.168.0.0 0.0.3.255
This acl is used for your nat.

Try to remove that acl and use the following instead:
access-list 100 deny 192.168.0.0 0.0.3.255 host 55.55.55.55
access-list 100 deny 192.168.0.0 0.0.3.255 host 55.55.55.56
access-list 100 permit 192.168.0.0 0.0.3.255 any

Let me know if that works

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco that did not work - the pages still do not load with the following statements:

 

access-list 100 permit ip 192.168.0.0 0.0.3.255 any
access-list 100 deny   ip 192.168.0.0 0.0.3.255 host 55.55.55.55
access-list 100 deny   ip 192.168.0.0 0.0.3.255 host 55.55.55.56

 

I did add the ip into the statements you sent over below.  In addition, I did update the route maps.

 

However, the nslookup still returns the public IP address, but the page does not load.

 

Any other suggestions that you might have?  Willing to try anything.

Francesco Molino
VIP Alumni
VIP Alumni
Sorry weird, i still don't see your last post.

You'll always receive answer with public IP when using nslookup add your servers have public DNS as you mentioned.

What IP are you receiving from nslookup?
While accessing your public servers IP, can you run show ip nat translation and paste the output?

Just took clarify, the goal is to access your servers with public IP from internal lan, right?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco,

 

I agree I went to the main page and the last post is not posting you are correct - I do not know why this is the case!  Very strange.

 

Yes nslookup provides the public ip the 55.55.55.55.

 

Yes the goal is to simply type in the hostname which resolves the public ip when using the public DNS Servers or really any DNS Servers (other then internal, which could obviously provide the public automatically).  If you try to access router.testrouter.com from outside the network it works fine with the static NAT rules.  I want a LAN users to type in router.testrouter.com and it works fine too from the VLAN.

 

I do not understand why a cheap consumer router will do it and this Cisco Router will not.  The Cisco Router knows that it is trying to get the public IP address: 55.55.55.55, but why doesn't it router it back in?  Or how do I tell the router that with Internal traffic allow it to come back in - now I'm rambling, but you get my point.  And using a provided DNS Server is not an option - its needs to be able to work independently.

 

Here are the IP NAT Translations:

do sh ip nat translations
Pro Inside global         Inside local          Outside local         Outside global
udp 96.253.18.130:49265   192.168.0.102:49265   4.2.2.2:53            4.2.2.2:53
tcp 96.253.18.130:49708   192.168.0.102:49708   65.52.108.207:443     65.52.108.207:443
tcp 96.253.18.130:49719   192.168.0.102:49719   17.248.135.242:443    17.248.135.242:443
tcp 96.253.18.130:49726   192.168.0.102:49726   17.249.108.26:5223    17.249.108.26:5223
tcp 96.253.18.130:49735   192.168.0.102:49735   77.234.44.25:80       77.234.44.25:80
tcp 96.253.18.130:49962   192.168.0.102:49962   17.249.124.78:5223    17.249.124.78:5223
tcp 96.253.18.130:50332   192.168.0.102:50332   77.234.41.253:80      77.234.41.253:80
tcp 96.253.18.130:50343   192.168.0.102:50343   69.31.33.97:80        69.31.33.97:80
tcp 96.253.18.130:50757   192.168.0.102:50757   52.3.238.163:2096     52.3.238.163:2096
tcp 96.253.18.130:50762   192.168.0.102:50762   72.21.91.97:443       72.21.91.97:443
tcp 96.253.18.130:50763   192.168.0.102:50763   23.192.43.231:443     23.192.43.231:443
tcp 96.253.18.130:50765   192.168.0.102:50765   204.79.197.200:443    204.79.197.200:443
tcp 96.253.18.130:50766   192.168.0.102:50766   93.184.216.180:443    93.184.216.180:443
tcp 96.253.18.130:50767   192.168.0.102:50767   151.139.237.113:443   151.139.237.113:443
tcp 96.253.18.130:50768   192.168.0.102:50768   108.161.189.121:443   108.161.189.121:443
tcp 96.253.18.130:50770   192.168.0.102:50770   72.21.91.97:443       72.21.91.97:443
tcp 96.253.18.130:50776   192.168.0.102:50776   172.217.7.6:443       172.217.7.6:443
tcp 96.253.18.130:50777   192.168.0.102:50777   172.217.11.46:80      172.217.11.46:80
tcp 96.253.18.130:50779   192.168.0.102:50779   31.13.71.36:443       31.13.71.36:443
tcp 96.253.18.130:50780   192.168.0.102:50780   172.217.6.226:443     172.217.6.226:443
tcp 96.253.18.130:50781   192.168.0.102:50781   23.203.74.48:443      23.203.74.48:443
tcp 96.253.18.130:50782   192.168.0.102:50782   52.85.139.32:443      52.85.139.32:443
tcp 96.253.18.130:50785   192.168.0.102:50785   149.174.28.138:443    149.174.28.138:443
tcp 96.253.18.130:50788   192.168.0.102:50788   172.217.13.228:443    172.217.13.228:443
tcp 96.253.18.130:50789   192.168.0.102:50789   72.21.91.29:80        72.21.91.29:80
tcp 96.253.18.130:50790   192.168.0.102:50790   23.54.187.27:80       23.54.187.27:80
tcp 96.253.18.130:50796   192.168.0.102:50796   13.32.81.60:80        13.32.81.60:80
tcp 96.253.18.130:50799   192.168.0.102:50799   172.217.11.2:443      172.217.11.2:443
tcp 96.253.18.130:50829   192.168.0.102:50829   34.211.171.230:443    34.211.171.230:443
tcp 96.253.18.130:50830   192.168.0.102:50830   172.217.10.42:443     172.217.10.42:443
tcp 96.253.18.130:50839   192.168.0.102:50839   34.211.171.230:443    34.211.171.230:443
tcp 96.253.18.130:50840   192.168.0.102:50840   208.74.205.244:443    208.74.205.244:443
tcp 96.253.18.130:50841   192.168.0.102:50841   208.74.205.244:443    208.74.205.244:443
udp 96.253.18.130:51899   192.168.0.102:51899   4.2.2.2:53            4.2.2.2:53
udp 96.253.18.130:53183   192.168.0.102:53183   4.2.2.2:53            4.2.2.2:53
tcp 96.253.18.130:53321   192.168.0.102:53321   72.247.9.208:80       72.247.9.208:80
tcp 96.253.18.130:53380   192.168.0.102:53380   69.31.33.112:80       69.31.33.112:80
udp 96.253.18.130:53821   192.168.0.102:53821   4.2.2.2:53            4.2.2.2:53
udp 96.253.18.130:55250   192.168.0.102:55250   4.2.2.2:53            4.2.2.2:53
udp 96.253.18.130:55841   192.168.0.102:55841   4.2.2.2:53            4.2.2.2:53
udp 96.253.18.130:57032   192.168.0.102:57032   4.2.2.2:53            4.2.2.2:53
udp 96.253.18.130:57069   192.168.0.102:57069   4.2.2.2:53            4.2.2.2:53
udp 96.253.18.130:58644   192.168.0.102:58644   4.2.2.2:53            4.2.2.2:53
udp 96.253.18.130:58813   192.168.0.102:58813   4.2.2.2:53            4.2.2.2:53
udp 96.253.18.130:60341   192.168.0.102:60341   94.245.121.251:3544   94.245.121.251:3544
udp 96.253.18.130:123     192.168.0.103:123     52.168.138.145:123    52.168.138.145:123
tcp 96.253.18.130:49777   192.168.0.103:49777   65.52.108.229:443     65.52.108.229:443
tcp 96.253.18.130:81      192.168.0.200:81      ---                   ---
tcp 96.253.18.130:443     192.168.0.201:443     73.142.85.98:50281    73.142.85.98:50281
tcp 96.253.18.130:443     192.168.0.201:443     73.142.85.98:58152    73.142.85.98:58152
tcp 96.253.18.130:443     192.168.0.201:443     183.82.21.246:18508   183.82.21.246:18508
tcp 96.253.18.130:443     192.168.0.201:443     ---                   ---
tcp 96.253.18.130:8040    192.168.0.202:8040    ---                   ---
tcp 96.253.18.130:8041    192.168.0.202:8041    23.30.128.149:53325   23.30.128.149:53325
tcp 96.253.18.130:8041    192.168.0.202:8041    23.30.128.149:57301   23.30.128.149:57301
tcp 96.253.18.130:8041    192.168.0.202:8041    23.30.128.149:65265   23.30.128.149:65265
tcp 96.253.18.130:8041    192.168.0.202:8041    23.30.136.73:63696    23.30.136.73:63696
tcp 96.253.18.130:8041    192.168.0.202:8041    24.147.248.185:49765  24.147.248.185:49765
tcp 96.253.18.130:8041    192.168.0.202:8041    24.248.59.200:51968   24.248.59.200:51968
tcp 96.253.18.130:8041    192.168.0.202:8041    24.248.59.200:52655   24.248.59.200:52655
Pro Inside global         Inside local          Outside local         Outside global
tcp 96.253.18.130:8041    192.168.0.202:8041    24.248.59.200:54261   24.248.59.200:54261
tcp 96.253.18.130:8041    192.168.0.202:8041    24.248.59.200:55463   24.248.59.200:55463
tcp 96.253.18.130:8041    192.168.0.202:8041    32.217.110.140:49176  32.217.110.140:49176
tcp 96.253.18.130:8041    192.168.0.202:8041    32.217.110.140:50648  32.217.110.140:50648
tcp 96.253.18.130:8041    192.168.0.202:8041    32.217.110.140:53605  32.217.110.140:53605
tcp 96.253.18.130:8041    192.168.0.202:8041    32.217.110.140:57469  32.217.110.140:57469
tcp 96.253.18.130:8041    192.168.0.202:8041    32.217.110.140:61688  32.217.110.140:61688
tcp 96.253.18.130:8041    192.168.0.202:8041    45.47.191.158:51935   45.47.191.158:51935
tcp 96.253.18.130:8041    192.168.0.202:8041    50.195.2.38:50254     50.195.2.38:50254
tcp 96.253.18.130:8041    192.168.0.202:8041    50.195.2.38:54492     50.195.2.38:54492
tcp 96.253.18.130:8041    192.168.0.202:8041    50.195.2.38:61850     50.195.2.38:61850
tcp 96.253.18.130:8041    192.168.0.202:8041    50.199.234.121:50573  50.199.234.121:50573
tcp 96.253.18.130:8041    192.168.0.202:8041    50.199.234.121:53488  50.199.234.121:53488
tcp 96.253.18.130:8041    192.168.0.202:8041    50.241.114.241:49680  50.241.114.241:49680
tcp 96.253.18.130:8041    192.168.0.202:8041    50.241.114.241:49697  50.241.114.241:49697
tcp 96.253.18.130:8041    192.168.0.202:8041    50.241.114.241:50959  50.241.114.241:50959
tcp 96.253.18.130:8041    192.168.0.202:8041    50.241.114.241:54320  50.241.114.241:54320
tcp 96.253.18.130:8041    192.168.0.202:8041    50.241.114.241:61015  50.241.114.241:61015
tcp 96.253.18.130:8041    192.168.0.202:8041    52.205.250.85:50408   52.205.250.85:50408
tcp 96.253.18.130:8041    192.168.0.202:8041    66.31.95.77:49565     66.31.95.77:49565
tcp 96.253.18.130:8041    192.168.0.202:8041    66.31.95.77:61001     66.31.95.77:61001
tcp 96.253.18.130:8041    192.168.0.202:8041    66.31.95.77:62140     66.31.95.77:62140
tcp 96.253.18.130:8041    192.168.0.202:8041    66.31.95.77:65278     66.31.95.77:65278
tcp 96.253.18.130:8041    192.168.0.202:8041    66.162.5.126:52706    66.162.5.126:52706
tcp 96.253.18.130:8041    192.168.0.202:8041    67.231.75.119:53970   67.231.75.119:53970
tcp 96.253.18.130:8041    192.168.0.202:8041    68.15.32.236:51476    68.15.32.236:51476
tcp 96.253.18.130:8041    192.168.0.202:8041    68.15.32.236:51493    68.15.32.236:51493
tcp 96.253.18.130:8041    192.168.0.202:8041    68.15.32.236:54541    68.15.32.236:54541
tcp 96.253.18.130:8041    192.168.0.202:8041    68.15.32.236:65390    68.15.32.236:65390
tcp 96.253.18.130:8041    192.168.0.202:8041    68.15.36.142:50587    68.15.36.142:50587
tcp 96.253.18.130:8041    192.168.0.202:8041    68.15.36.142:60346    68.15.36.142:60346
tcp 96.253.18.130:8041    192.168.0.202:8041    68.15.58.104:58500    68.15.58.104:58500
tcp 96.253.18.130:8041    192.168.0.202:8041    68.15.58.104:62777    68.15.58.104:62777
tcp 96.253.18.130:8041    192.168.0.202:8041    68.109.229.60:59845   68.109.229.60:59845
tcp 96.253.18.130:8041    192.168.0.202:8041    70.184.15.169:54888   70.184.15.169:54888
tcp 96.253.18.130:8041    192.168.0.202:8041    71.174.230.21:1582    71.174.230.21:1582
tcp 96.253.18.130:8041    192.168.0.202:8041    71.174.230.21:49956   71.174.230.21:49956
tcp 96.253.18.130:8041    192.168.0.202:8041    71.174.230.21:54961   71.174.230.21:54961
tcp 96.253.18.130:8041    192.168.0.202:8041    71.174.230.21:58859   71.174.230.21:58859
tcp 96.253.18.130:8041    192.168.0.202:8041    71.174.230.21:63357   71.174.230.21:63357
tcp 96.253.18.130:8041    192.168.0.202:8041    71.235.17.11:57693    71.235.17.11:57693
tcp 96.253.18.130:8041    192.168.0.202:8041    71.235.17.11:59218    71.235.17.11:59218
tcp 96.253.18.130:8041    192.168.0.202:8041    71.235.17.11:59407    71.235.17.11:59407
tcp 96.253.18.130:8041    192.168.0.202:8041    71.235.18.154:12833   71.235.18.154:12833
tcp 96.253.18.130:8041    192.168.0.202:8041    72.28.249.24:49680    72.28.249.24:49680
tcp 96.253.18.130:8041    192.168.0.202:8041    72.28.249.24:52790    72.28.249.24:52790
tcp 96.253.18.130:8041    192.168.0.202:8041    72.87.103.245:60390   72.87.103.245:60390
tcp 96.253.18.130:8041    192.168.0.202:8041    72.200.172.191:49855  72.200.172.191:49855
tcp 96.253.18.130:8041    192.168.0.202:8041    72.200.173.60:52186   72.200.173.60:52186
tcp 96.253.18.130:8041    192.168.0.202:8041    72.215.234.12:51998   72.215.234.12:51998
tcp 96.253.18.130:8041    192.168.0.202:8041    72.215.234.12:55726   72.215.234.12:55726
tcp 96.253.18.130:8041    192.168.0.202:8041    72.215.234.12:57225   72.215.234.12:57225
tcp 96.253.18.130:8041    192.168.0.202:8041    72.215.234.12:57341   72.215.234.12:57341
tcp 96.253.18.130:8041    192.168.0.202:8041    72.215.234.12:58842   72.215.234.12:58842
tcp 96.253.18.130:8041    192.168.0.202:8041    72.215.234.12:58885   72.215.234.12:58885
tcp 96.253.18.130:8041    192.168.0.202:8041    73.4.247.127:64749    73.4.247.127:64749
tcp 96.253.18.130:8041    192.168.0.202:8041    73.38.192.238:51937   73.38.192.238:51937
tcp 96.253.18.130:8041    192.168.0.202:8041    73.38.192.238:58904   73.38.192.238:58904
tcp 96.253.18.130:8041    192.168.0.202:8041    73.142.84.18:49699    73.142.84.18:49699
tcp 96.253.18.130:8041    192.168.0.202:8041    73.142.85.98:60337    73.142.85.98:60337
Pro Inside global         Inside local          Outside local         Outside global
tcp 96.253.18.130:8041    192.168.0.202:8041    73.142.211.152:52021  73.142.211.152:52021
tcp 96.253.18.130:8041    192.168.0.202:8041    73.159.224.142:49158  73.159.224.142:49158
tcp 96.253.18.130:8041    192.168.0.202:8041    73.159.224.142:49676  73.159.224.142:49676
tcp 96.253.18.130:8041    192.168.0.202:8041    74.92.21.69:49695     74.92.21.69:49695
tcp 96.253.18.130:8041    192.168.0.202:8041    74.92.21.69:49761     74.92.21.69:49761
tcp 96.253.18.130:8041    192.168.0.202:8041    74.92.21.69:50115     74.92.21.69:50115
tcp 96.253.18.130:8041    192.168.0.202:8041    74.92.21.69:50742     74.92.21.69:50742
tcp 96.253.18.130:8041    192.168.0.202:8041    74.92.21.69:50867     74.92.21.69:50867
tcp 96.253.18.130:8041    192.168.0.202:8041    74.92.21.69:52069     74.92.21.69:52069
tcp 96.253.18.130:8041    192.168.0.202:8041    74.92.21.69:57094     74.92.21.69:57094
tcp 96.253.18.130:8041    192.168.0.202:8041    74.92.21.69:65187     74.92.21.69:65187
tcp 96.253.18.130:8041    192.168.0.202:8041    74.93.17.145:53171    74.93.17.145:53171
tcp 96.253.18.130:8041    192.168.0.202:8041    75.136.103.62:59160   75.136.103.62:59160
tcp 96.253.18.130:8041    192.168.0.202:8041    75.144.178.205:49159  75.144.178.205:49159
tcp 96.253.18.130:8041    192.168.0.202:8041    75.144.178.205:50928  75.144.178.205:50928
tcp 96.253.18.130:8041    192.168.0.202:8041    75.144.178.205:53638  75.144.178.205:53638
tcp 96.253.18.130:8041    192.168.0.202:8041    75.144.178.205:59282  75.144.178.205:59282
tcp 96.253.18.130:8041    192.168.0.202:8041    88.98.45.178:35673    88.98.45.178:35673
tcp 96.253.18.130:8041    192.168.0.202:8041    88.98.45.178:63410    88.98.45.178:63410
tcp 96.253.18.130:8041    192.168.0.202:8041    96.81.97.229:51778    96.81.97.229:51778
tcp 96.253.18.130:8041    192.168.0.202:8041    96.238.23.70:49784    96.238.23.70:49784
tcp 96.253.18.130:8041    192.168.0.202:8041    98.175.220.253:52708  98.175.220.253:52708
tcp 96.253.18.130:8041    192.168.0.202:8041    98.175.220.253:58651  98.175.220.253:58651
tcp 96.253.18.130:8041    192.168.0.202:8041    98.175.220.253:63644  98.175.220.253:63644
tcp 96.253.18.130:8041    192.168.0.202:8041    98.179.142.155:61573  98.179.142.155:61573
tcp 96.253.18.130:8041    192.168.0.202:8041    107.3.102.51:60448    107.3.102.51:60448
tcp 96.253.18.130:8041    192.168.0.202:8041    107.3.103.31:52206    107.3.103.31:52206
tcp 96.253.18.130:8041    192.168.0.202:8041    107.3.103.31:52928    107.3.103.31:52928
tcp 96.253.18.130:8041    192.168.0.202:8041    107.3.103.31:57211    107.3.103.31:57211
tcp 96.253.18.130:8041    192.168.0.202:8041    107.3.103.31:60276    107.3.103.31:60276
tcp 96.253.18.130:8041    192.168.0.202:8041    107.3.103.31:63125    107.3.103.31:63125
tcp 96.253.18.130:8041    192.168.0.202:8041    107.3.103.42:50059    107.3.103.42:50059
tcp 96.253.18.130:8041    192.168.0.202:8041    108.34.147.34:49164   108.34.147.34:49164
tcp 96.253.18.130:8041    192.168.0.202:8041    108.34.147.34:51171   108.34.147.34:51171
tcp 96.253.18.130:8041    192.168.0.202:8041    108.34.147.34:61750   108.34.147.34:61750
tcp 96.253.18.130:8041    192.168.0.202:8041    108.34.190.129:49674  108.34.190.129:49674
tcp 96.253.18.130:8041    192.168.0.202:8041    108.34.243.180:55226  108.34.243.180:55226
tcp 96.253.18.130:8041    192.168.0.202:8041    137.103.106.57:51934  137.103.106.57:51934
tcp 96.253.18.130:8041    192.168.0.202:8041    173.9.72.90:52176     173.9.72.90:52176
tcp 96.253.18.130:8041    192.168.0.202:8041    173.69.43.38:52707    173.69.43.38:52707
tcp 96.253.18.130:8041    192.168.0.202:8041    173.69.43.38:63088    173.69.43.38:63088
tcp 96.253.18.130:8041    192.168.0.202:8041    198.0.158.245:49157   198.0.158.245:49157
tcp 96.253.18.130:8041    192.168.0.202:8041    198.0.158.245:49159   198.0.158.245:49159
tcp 96.253.18.130:8041    192.168.0.202:8041    198.0.158.245:50146   198.0.158.245:50146
tcp 96.253.18.130:8041    192.168.0.202:8041    198.0.158.245:51679   198.0.158.245:51679
tcp 96.253.18.130:8041    192.168.0.202:8041    198.0.158.245:51733   198.0.158.245:51733
tcp 96.253.18.130:8041    192.168.0.202:8041    198.0.158.245:52866   198.0.158.245:52866
tcp 96.253.18.130:8041    192.168.0.202:8041    198.0.158.245:57001   198.0.158.245:57001
tcp 96.253.18.130:8041    192.168.0.202:8041    198.0.158.245:61199   198.0.158.245:61199
tcp 96.253.18.130:8041    192.168.0.202:8041    198.0.158.245:63355   198.0.158.245:63355
tcp 96.253.18.130:8041    192.168.0.202:8041    208.103.76.60:61116   208.103.76.60:61116
tcp 96.253.18.130:8041    192.168.0.202:8041    216.255.173.171:58742 216.255.173.171:58742
tcp 96.253.18.130:8041    192.168.0.202:8041    ---                   ---
tcp 96.253.18.130:8250    192.168.0.203:8250    ---                   ---
tcp 96.253.18.130:48520   192.168.0.216:48520   ---                   ---
tcp 96.253.18.130:49162   192.168.0.216:49162   77.234.42.239:80      77.234.42.239:80
tcp 96.253.18.130:49760   192.168.0.216:49760   173.240.170.112:443   173.240.170.112:443
tcp 96.253.18.130:49879   192.168.0.216:49879   69.31.33.97:80        69.31.33.97:80
tcp 96.253.18.130:49883   192.168.0.216:49883   77.234.42.252:443     77.234.42.252:443
tcp 96.253.18.130:48521   192.168.0.217:48521   ---                   ---
Pro Inside global         Inside local          Outside local         Outside global
tcp 96.253.18.130:49159   192.168.0.217:49159   77.234.41.34:80       77.234.41.34:80
tcp 96.253.18.130:52355   192.168.0.217:52355   165.254.0.33:80       165.254.0.33:80
tcp 96.253.18.130:53170   192.168.0.217:53170   69.31.33.97:80        69.31.33.97:80
tcp 96.253.18.130:53251   192.168.0.217:53251   77.234.42.252:80      77.234.42.252:80
tcp 96.253.18.130:48522   192.168.0.218:48522   ---                   ---
tcp 96.253.18.130:49161   192.168.0.218:49161   77.234.42.249:80      77.234.42.249:80
tcp 96.253.18.130:51714   192.168.0.218:51714   72.247.9.208:80       72.247.9.208:80
tcp 96.253.18.130:52280   192.168.0.218:52280   77.234.42.253:80      77.234.42.253:80

Francesco Molino
VIP Alumni
VIP Alumni
Hi

I raised the weird issue to Cisco.

When you modified the acl, did you do a clear ip nat translation * ?
Can you share your actual config please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello Again,

 

Yes I did do that and the system is definitely messed up.  I did open a case with TAC on this matter last week and they promised to test it in the lab and get back to me tomorrow (Monday) - I hope they do because I think it is crazy that a high end router has issues doing this, but a D-Link router does it fine.  There must be some with to make it work - it just doesn't seem plausible.

 

The configuration in the latest state is as follows:

 

Current configuration : 4379 bytes
!
! Last configuration change at 21:34:26 EST Sun Dec 17 2017 by
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Test-Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200 warnings
enable secret 5
enable password 7
!
no aaa new-model
clock timezone EST -5 0
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.200 192.168.0.254
!
ip dhcp pool internal
 network 192.168.0.0 255.255.255.0
 dns-server 192.168.0.213 4.2.2.2 71.243.0.12 68.237.161.12
 domain-name testrouter.local
 default-router 192.168.0.1
 lease 14
!
!
!
no ip domain lookup
ip domain name router.testrouter.local
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9
!
!
!
!
!
!
!
ip ssh version 2
!
class-map match-all Voice
 match ip dscp ef
!
policy-map EGNVoice
 class Voice
  priority 25000
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 ip address 96.253.18.131 255.255.255.0 secondary
 ip address 96.253.18.130 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 service-policy output EGNVoice
!
interface Vlan1
 ip address 192.168.0.1 255.255.252.0
 ip nat inside
 ip virtual-reassembly in
!
interface Async3
 no ip address
 encapsulation slip
!
ip default-gateway 96.253.18.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map FE0_General_Failover interface FastEthernet0 overload
ip nat inside source route-map GE8_General_Failover interface GigabitEthernet8 overload
ip nat inside source static tcp 192.168.0.200 81 96.253.18.130 81 extendable
ip nat inside source static tcp 192.168.0.201 443 96.253.18.130 443 extendable
ip nat inside source static tcp 192.168.0.202 8040 96.253.18.130 8040 extendable
ip nat inside source static tcp 192.168.0.202 8041 96.253.18.130 8041 extendable
ip nat inside source static tcp 192.168.0.203 8250 96.253.18.130 8250 extendable
ip nat inside source static tcp 192.168.0.216 48520 96.253.18.130 48520 extendable
ip nat inside source static tcp 192.168.0.217 48521 96.253.18.130 48521 extendable
ip nat inside source static tcp 192.168.0.218 48522 96.253.18.130 48522 extendable
ip route 0.0.0.0 0.0.0.0 96.253.18.1
!
!
route-map GE8_General_Failover permit 1
 match ip address 100
 match interface GigabitEthernet8
!
route-map FE0_General_Failover permit 1
 match ip address 100
 match interface FastEthernet0
!
snmp-server location Epcom RI, USA
snmp-server contact Epcom World Industries, Inc.
access-list 100 permit ip 192.168.0.0 0.0.3.255 any
access-list 100 deny   ip 192.168.0.0 0.0.3.255 host 96.253.18.130
access-list 100 deny   ip 192.168.0.0 0.0.3.255 host 96.253.18.131
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 password 7
 logging synchronous
 login
 no modem enable
line aux 0
 password 7
 login
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 privilege level 15
 password 7
 login local
 transport input ssh
!
scheduler allocate 20000 1000
!
end

Hello,

 

on a side note, try and configure the below:

 

ip domain lookup
ip name-server 192.168.0.213
ip name-server 4.2.2.2
ip name-server 71.243.0.12
ip name-server 68.237.161.12

 

Don't forget to configure 'transport preferred none' on your con/aux/vty lines to avoid the annoying problem of having your router trying to translate anything you erroneously type...

Hi

 

First of all, why are you using route-map? What do you want to achieve? 


route-map GE8_General_Failover permit 1
 match ip address 100
 match interface GigabitEthernet8
!
route-map FE0_General_Failover permit 1
 match ip address 100
 match interface FastEthernet0
!

 

Then in terms of acl, you added the permit at the top of the acl and the deny statement will never be hitted. You need to have the permit statement at the end:


access-list 100 deny   ip 192.168.0.0 0.0.3.255 host 96.253.18.130
access-list 100 deny   ip 192.168.0.0 0.0.3.255 host 96.253.18.131
access-list 100 permit ip 192.168.0.0 0.0.3.255 any

 

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello All,

 

I have configured the ip name-server 4.2.2.2 option and the ip domain lookup is back in the config.

 

I have updated the access-list 100 to have the two deny options on top and the permit option 3rd on the list.

 

However, when trying to resolve the hostname within the VLAN still does not work.

 

The route-map is for another ISP that has not yet been installed, but will be soon.

 

Any other suggestions are welcome.

Ok I'm lost.

You said: "when trying to resolve the hostname within the VLAN still does not work"

What is your dns server?

Does this means that when using nslookup you're not able to resolve the hostname with the right public ip?

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco,

 

That statement should have said - when trying to access the hostname within the LAN the page does not load, though the DNS resolves it to the PUBLIC IP address of GE8.

 

The DNS Server is: 4.2.2.2 and even with 8.8.8.8 same thing.  The nslookup is as follows:

 

Server:  b.resolvers.Level3.net
Address:  4.2.2.2

Non-authoritative answer:
Name:    test.domain.com
Address:  96.253.18.130

 

When doing a debug ip nat detail I get this statement and I do not know why the router has 0.0.0.0 (local address) in it:

 

*Dec 18 16:42:31.872: NAT*: TCP s=3389->47525, d=64289
*Dec 18 16:42:31.872: NAT*: s=192.168.0.200->96.253.18.130, d=73.142.85.98 [15194]
*Dec 18 16:42:31.872: NAT*: i: tcp (192.168.0.200, 3389) -> (73.142.85.98, 64289) [15195]
*Dec 18 16:42:31.872: NAT*: TCP s=3389->47525, d=64289
*Dec 18 16:42:31.872: NAT*: s=192.168.0.200->96.253.18.130, d=73.142.85.98 [15195]
*Dec 18 16:42:31.908: NAT*: o: tcp (73.142.85.98, 50281) -> (96.253.18.130, 443) [12832]
*Dec 18 16:42:31.908: NAT*: s=73.142.85.98, d=96.253.18.130->192.168.0.201 [12832]
*Dec 18 16:42:31.912: NAT*: o: tcp (73.142.85.98, 64289) -> (96.253.18.130, 47525) [12833]
*Dec 18 16:42:31.912: NAT*: TCP s=64289, d=47525->3389
*Dec 18 16:42:31.912: NAT*: s=73.142.85.98, d=96.253.18.130->192.168.0.200 [12833]
*Dec 18 16:42:31.916: NAT: API parameters passed: src_addr:192.168.0.200, src_port:0 dest_addr:96.253.18.130, dest_port:0, proto:6 if_input:Vlan1 pak:E85C1C0 get_translated:1
*Dec 18 16:42:31.916: NAT - SYSTEM PORT for 96.253.18.130: allocated port 0, refcount 37098, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 37098, proto 6
*Dec 18 16:42:31.916: NAT: API parameters passed: src_addr:192.168.0.200, src_port:0 dest_addr:96.253.18.130, dest_port:0, proto:6 if_input:Vlan1 pak:E85C1C0 get_translated:1
*Dec 18 16:42:31.916: NAT - SYSTEM PORT for 96.253.18.130: allocated port 0, refcount 37099, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 37099, proto 6
*Dec 18 16:42:31.924: NAT*: i: tcp (192.168.0.201, 443) -> (73.142.85.98, 50281) [3326]
*Dec 18 16:42:31.924: NAT*: s=192.168.0.201->96.253.18.130, d=73.142.85.98 [3326]
*Dec 18 16:42:31.932: NAT*: i: tcp (192.168.0.200, 3389) -> (73.142.85.98, 64289) [15196]
*Dec 18 16:42:31.932: NAT*: TCP s=3389->47525, d=64289
*Dec 18 16:42:31.932: NAT*: s=192.168.0.200->96.253.18.130, d=73.142.85.98 [15196]
*Dec 18 16:42:31.932: NAT*: i: tcp (192.168.0.200, 3389) -> (73.142.85.98, 64289) [15197]
*Dec 18 16:42:31.932: NAT*: TCP s=3389->47525, d=64289
*Dec 18 16:42:31.932: NAT*: s=192.168.0.200->96.253.18.130, d=73.142.85.98 [15197]
*Dec 18 16:42:31.932: NAT*: i: tcp (192.168.0.200, 3389) -> (73.142.85.98, 64289) [15198]

 

In the above debug server 192.168.0.200 was using Firefox to access the server via hostname running on 192.168.0.202.  Publically this works, but within the VLAN you cannot get the browser to open the page with the hostname.  You would either have to use the public IP address or a DNS Server that has the rule in it with the internal VLAN IP to make it work.  I have edited the Windows Host File and it works fine, but that is not a solution for a network with 0.0.3.255 devices.

 

Continue to keep me posted on your thoughts.  Thanks.

Peter Paluch
Cisco Employee
Cisco Employee

Friends,

Please allow me join.

@epcomworld: If my understanding is correct, you want to have your internal hosts talk to your internal servers using their apparent public IP address because that is what they learn when they resolve their names in DNS.

For such communication to occur successfully, one of the following alternatives would need to be true:

  • The servers are configured with their appropriate public IP addresses as additional IP addresses they have, on top of their existing private IP addresses. For packets from inside hosts targeted to the public server IP addresses, the router would merely route these packets to the appropriate servers using their private IP addresses as next hops. As the servers would be owning both their private and their public IP addresses, they would accept the packets, process them as usual, and respond to the clients directly. This would be accomplished using PBR (Policy-Based Routing), and NAT would not play a role here.
  • The servers are configured only with their private IP addresses. For packets from inside hosts targeted to the public server IP addresses, the router would translate the destination IP address from the public IP address to the private IP address. However, the router would also need to translate the source IP address of these packets to a fictious IP range to cause the servers to respond to clients through the router and not directly; if the source IP addresses were not changed, the communication would fail because the clients would attempt to talk to the servers using their public IPs but would be receiving responses from their private IPs, and would drop them as unexpected. Essentially, this would require a double NAT. Based on the nature of NAT on Cisco IOS-based devices, this alternative would be cumbersome and unintuitive to configure, and I would personally recommend avoiding it at all if possible.

Note that currently, your NAT configuration does not apply to this communication at all. For Cisco NAT to kick into action in the inside-to-outside direction, a packet coming in through an ip nat inside interface would need to be routed out through an ip nat outside interface in order to be subject to NAT. Note that currently, this is not happening at all: For the intended inside-to-outside direction, packets from 192.168.0.0/22 coming in through interface Vlan1 destined to either 96.253.18.130 or 96.253.18.131 are not routed out through Gi8 at all - rather, they are consumed by the router itself because the router is the owner of both IP addresses, hence, no NAT is done here. For the outside-to-inside direction, the NAT is performed first and routing second, so that's why your static NAT entries work for outside hosts.

The PBR solution would require first that the servers are configured with their corresponding public IP address as their secondary IP address. Ideally, if possible, this IP address should be added to some kind of a virtual interface on these servers, perhaps a loopback - this is to avoid the servers to report IP address conflicts if multiple servers had the same public IP address configured on their Ethernet NIC in the same VLAN.

After this is done, the PBR on the router would be configured along the following lines:

ip access-list extended 130_tcp_81
  permit tcp any host 96.253.18.130 eq 81
!
ip access-list extended 130_tcp_443
  permit tcp any host 96.253.18.130 eq 443
!
ip access-list extended 130_tcp_8040
  permit tcp any host 96.253.18.130 eq 8040
!
ip access-list extended 130_tcp_8041
  permit tcp any host 96.253.18.130 eq 8041
!
ip access-list extended 130_tcp_8250
  permit tcp any host 96.253.18.130 eq 8250
!
ip access-list extended 130_tcp_48520
  permit tcp any host 96.253.18.130 eq 48520
!
ip access-list extended 130_tcp_48521
  permit tcp any host 96.253.18.130 eq 48521
!
ip access-list extended 130_tcp_48522
  permit tcp any host 96.253.18.130 eq 48522
!
route-map PBR-Vlan1 permit 10
  match ip address 130_tcp_81
  set ip next-hop 192.168.0.200
!
route-map PBR-Vlan1 permit 20
  match ip address 130_tcp_443
  set ip next-hop 192.168.0.201
!
route-map PBR-Vlan1 permit 30
  match ip address 130_tcp_8040
  set ip next-hop 192.168.0.202
!
route-map PBR-Vlan1 permit 40
  match ip address 130_tcp_8041
  set ip next-hop 192.168.0.202
!
route-map PBR-Vlan1 permit 50
  match ip address 130_tcp_8250
  set ip next-hop 192.168.0.203
!
route-map PBR-Vlan1 permit 60
  match ip address 130_tcp_48520
  set ip next-hop 192.168.0.216
!
route-map PBR-Vlan1 permit 70
  match ip address 130_tcp_48521
  set ip next-hop 192.168.0.217
!
route-map PBR-Vlan1 permit 80
  match ip address 130_tcp_48522
  set ip next-hop 192.168.0.218
!
interface Vlan1
ip policy route-map PBR-Vlan1

The remaining configuration would remain in place.

The point of this configuration is to have the router forward the packets from inside clients targeted for the specific public destination IP addresses and ports (note - no NAT, just route) to their corresponding private IP counterparts. Because there will be no NAT involved, the public destination addresses of these packets won't be changed, and so the servers must be listening to those public IP addresses. Also, because the client source IP addresses will also remain unchaged, the servers will respond to the internal clients directly, not even through the router.

This solution is arguably cumbersome; however, the overall design where internal clients need to talk to internal servers using their public IP address is problematic in itself, so the configuration becomes more quirky, too.

My $0.02...

Best regards,
Peter