Hi Toshi,

I want to access them by their public IP addresses when i'm inside the Lan

Hi,

     Absolutely,you can connect by using private IP addresses. Okay If you want to connect those servers by using Public IP Address when you are in Local Lan,let check what router does.

     Assuming that you are trying to connect Web server from Internal Lan. And you're using WAN ip address in Static NAT statement for web server.

1. Hosts try to get IP address of  Web server via DNS query sent to DNS server

2. Hosts receive the Public IP address of Web server via DNS reply.

3. Hosts try to connect Web server by using Public IP address (It's IP address of WAN inteface).

4. Router does not do anything to translate ip address. You may think that hosts are trying to connect local IP address on the router. So you will get   nothing or you will get the webpage of the router instead if http enabled. So it won't work.

     Assuming that you are trying to connect Web server from Internal Lan. And you're using an ip address on the same subnet of WAN interface in Static NAT statement for web server.

1. Hosts try to get IP address of  Web server via DNS query sent to DNS server.

2. Hosts receive the Public IP address of Web server via DNS reply.

3. Hosts try to connect Web server by using Public IP address on the same subnet of WAN interface.

4. Router sends the packets out WAN interface and does NAT overload to traslate source ip address. Router handles return packets by translating the destination back to private ip addresses and then route them to Internal LAN.

5. Router doesn't do anything about Static NAT for Web server in this process and Webserver won't see any TCP/SYN packets from hosts. So It won't work.

    Seems you need to use hosts files or setup your internal DNS.

HTH,

Toshi

"Assuming that you are trying to connect Web server from Internal Lan. And you're using an ip address on the same subnet of WAN interface in Static NAT statement for web server."

I think we're doing exactly above. There is a web server sitting in internal lan (Internal ip: 192.168.0.211and public IP: 10.10.10.211) and we want to be able to access it from another machine (Internal IP: 192.168.0.210 and Public IP: 10.10.10. 210) on the same lan BUT using web server's PUBLIC ip address (which is 10.10.10.211). The public ip addresses are all in the same subnet as WAN interface of the router itself is (10.10.10.194)

You also mentioned "NAT overload". But we're NOT using any NAT overload command on the router. All I can see is that static NAT that I mentioned above. My question is: This to me is a very common scenario (you simply want to access your servers by their public DNS name) and I can't get my head around that why it doesn't work.

So is this going to work at all? should we use NAT overload statement? Can we get the router so for return traffic it, it returns private ip address of the destination server?

Basically what should we do here?

Thanks,

Hi,

  Okay I will explain you this.

Requirement:

Internal Host: 192.168.0.210 want to connect Webserver 10.10.10.211.

Configurations are as follows:

!

ip nat inside source static 192.168.0.210 10.10.10.210  , Host

ip nat inside source static 192.168.0.211 10.10.10.211  , WebServer

!

1. A Connection from 192.168.0.210 to 10.10.10.211

2. Router translates Source:192.168.0.210 ==> 10.10.10.210

3. Return packet is  Source:10.10.10.211 and Dest:10.10.10.210

4. Router translates return packet <>10.10.10.210 back to Dest:192.168.0.210>

5. Router forwards packets to 192.168.0.210.

   In short,there is no any connection to WebServer.

  P.S. You may want to check by using "debug ip nat detailed"

HTH,

Toshi

Thank you very much for the explanation. I now fully understand the problem.

So what the solution would be if any? (beside modifing host file or having a completly diferent dns server. we host +1000 domians and clearly that is not an option)

I think this post is exactly explaining my problem too:

https://supportforums.cisco.com/thread/9950?referring_site=kapi

The issue maybe underlying with NAT behavior with dns name resolution.

When dns server returns the ip address of a destination to the router, shouldn't router traslate it to the private/local ip adress which is configured as static NAT entry?

Thanks,

Ehsan

Hi,

  What I explained you is that the process happens after you receive Public IP address from DNS reply. The link you provided is some kind of DNS Doctoring. It works perfectly in ASA. If you want to try this on IOS router,you can do it. You just make sure that you have to translate source ip address as well to let the router detect the destination port which is DNS port. You should try to test. You may use "debug ip packet detailed" to see what happens. The concept behind this is the router should modify DNS reply to the private ip for you.

HTH,

Toshi

Toshi,

You hit the nail on the head! I think issue here has something to do with DNS behavior with NAT. Note that this configuration used to be working just fine until last weekend which we assigned private ip addresses on our 2 dns servers and started translating them with NAT (ip nat inside source static ) on the router. Prior than that, they were just plugged into the switch module on the router, having Public ip address only which was not a good design at all because of security implications it had.

Now ever since we're NATing our DNS servers as well, other internal server cannot access host in the same WAN subnet when a hostname is resolved by the same dns servers!

I think getting the router to return the private ip address of the destination server (instead of it's public ip address) would pull it off! after all it would be the same as you change the host file, right?

Can you please explain how to do that for example for below NAT statement?

ip nat inside source static 192.168.0.210 10.10.10.210

Hi,

   You can test by using your existing configuration.

!

ip nat inside source static 192.168.0.210 10.10.10.210

ip nat inside source static 192.168.0.211 10.10.10.211

!

  Just try to connect to DNS server from this host,192.168.0.210. Router should translate this source IP address first. And try to see what happens with NAT by using "debug ip nat detailed".  The important portion of debug output when return traffic comming back would be as follows:

!

Additional record section:

NAT: DNS resource record 10.10.10.211 -> 192.168.0.211

NAT (UDP-DNS): After Translation

NAT: Translation of UDP DNS src , dst 10.10.10.210

NAT: Dns type of Response

  : dns len=38, id=1303, aa=0, tc=0, rd=1, ra=1

  : opcode=0, rcode=0, qdcount=1

   : ancount=1, nscount=0, arcount=0

    query name is toshi.domain.com, qtype=1,

Answer section:

    Name='your.domain.com'

    RR type=1,, ttl=0, data length=4

      IP=192.168.0.211

!

    You should see the above output. If not, you may try a newer IOS to do so. Like I mentioned,you should try it and let us know how things work.

Good Luck,

Toshi