Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1703
Views
0
Helpful
5
Replies

NAT/PAT loopback

johan_th01
Level 1
Level 1

‎03-13-2012 01:52 PM - edited ‎03-04-2019 03:39 PM

Hi, hope someone can help me with this.

i have an exchange server with static PAT on vlan1, server is accessible from the internet, but not from the local vlan1 because DNS points to WAN ip. Solved that by putting an entry in the local DNS server to the internal ip of the Exchangeserver. Works great for pc's and laptops but the problem is, this doesnot work for Iphones, Ipads and some Nokia smartphones. Those devices keep their DNS entries for a long time so a lot of people complain that they cannot get their email.

I already looked into the NAT on a stick solution but cannot get that working.

WAN IP:67.66.x.x

VLAN1 IP:192.168.115.253/24

VLAN2 IP: 10.96.45.254/24

Exchange server: 192.168.115.11

I already tried to create a loopback interface but i cannot get it to NAT the traffic to the Exchangeserver. Can somebody please help me to get this fixed

Current nat config:

interface FastEthernet0
description VLAN1SWITCH
no ip address
!
interface FastEthernet1
description VLAN2
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface GigabitEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip nat outside
ip virtual-reassembly in

!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.115.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 10.96.45.254 255.255.255.0
ip nat inside
ip virtual-reassembly in

!

ip nat pool LAN_TO_DMZ 10.96.45.96 10.96.45.223 netmask 255.255.255.0
ip nat inside source static tcp 192.168.115.11 80 interface GigabitEthernet0 80
ip nat inside source static tcp 192.168.115.11 443 interface GigabitEthernet0 443
ip nat inside source list 105 interface GigabitEthernet0 overload
ip nat inside source route-map SDM_RMAP_2 pool LAN_TO_DMZ overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 dhcp
!
access-list 104 remark NAT pool DMZ
access-list 104 deny   ip 10.96.45.0 0.0.0.255 10.16.0.0 0.0.255.255
access-list 104 permit ip 192.168.115.0 0.0.0.255 any
access-list 105 remark NAT pool INTERNET
access-list 105 deny   ip 192.168.115.0 0.0.0.255 10.16.0.0 0.0.255.255
access-list 105 permit ip 192.168.115.0 0.0.0.255 any
!
route-map SDM_RMAP_2 permit 1
match ip address 104
!

Labels:
0 Helpful
5 Replies 5

Marwan ALshawi
VIP Alumni
VIP Alumni

‎03-17-2012 06:03 AM

can you please explain what you trying to achieve with the nat on stick ?

0 Helpful

johan_th01
Level 1
Level 1
In response to Marwan ALshawi

‎03-17-2012 06:56 AM

I want to be able to use the WAN IP to access the exchange server from the local LAN.

Currently it is only possible to acces the exchange server from the internet with WANIP, but from lan you have to use the LANIP of the server.

Hop this explains my goal.

WAN interface= GigabitEthernet0

LAN interface= VLAN1 on FA0

0 Helpful

ty.masse
Level 1
Level 1
In response to johan_th01

‎03-17-2012 11:34 AM

I see the logic of what you're trying to accomplish, but it won't work with NAT.  You have an ip nat outside on gi0, and ip nat inside on both fa0 and fa1.  One is your Lan devices, the other one is your exchange server.  You want to translate your lan devices on fa1 to a 67 address in hopes that the traffic will reach your exchange sever with a source of 67 which is outside.

1.  The nat inside on fa1 will translate every device on that vlan mobile devices or not to the 67 address.  So devices that were working will not longer work.

2.  You're expecting the router to receive a 67 packet from fa1 as a source and resend it right back in to the exchange server that has a 192 address.  So if you look at that triangle it's not gonna work no matter how you nat it.  Because the router will receive the 67 from fa1, then it won't know what to do with it because it cannot NAT in reverse.  NAT = one direction per interface.  So it will never translate the 67 to 192, and it will drop the packet.

I can think of one way that will work.  It's to do a static nat for the exchange server to a specific 67 address.  Not interface gi0.  A static that is bidirectional, and I think your scenario will then work.

GL

0 Helpful

paul driver
VIP
VIP
In response to johan_th01

‎08-17-2013 07:35 AM

Hello

Why would you want your internal clients to access this internal server by its public ip?

For these clients - maybe add additional public server addresses your existing dns scope

Res
Paul

Sent from Cisco Technical Support iPad App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Konstantin Konotopchik
Level 1
Level 1

‎08-17-2013 02:46 AM

You need to use cisco NAT virtual interface,

Example:

your internal network web server ip 192.168.1.10/24 Fa0 router Fa1 Public Ip address 1.1.1.1

here is what you need to configure in NAT router to resolve your issue:

int fa0

ip nat enable

no ip redirects

int fa 1

ip nat enable

no ip redirects

ip nat source static tcp 192.168.1.10 80 1.1.1.1 80 overload

ip nat source list 1 interface fa0 overload

access-list 1 permit 192.168.1.0 0.0.0.255

now you can try access to your 1.1.1.1:80 from inside network.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card