03-13-2012 01:52 PM - edited 03-04-2019 03:39 PM
Hi, hope someone can help me with this.
i have an exchange server with static PAT on vlan1, server is accessible from the internet, but not from the local vlan1 because DNS points to WAN ip. Solved that by putting an entry in the local DNS server to the internal ip of the Exchangeserver. Works great for pc's and laptops but the problem is, this doesnot work for Iphones, Ipads and some Nokia smartphones. Those devices keep their DNS entries for a long time so a lot of people complain that they cannot get their email.
I already looked into the NAT on a stick solution but cannot get that working.
WAN IP:67.66.x.x
VLAN1 IP:192.168.115.253/24
VLAN2 IP: 10.96.45.254/24
Exchange server: 192.168.115.11
I already tried to create a loopback interface but i cannot get it to NAT the traffic to the Exchangeserver. Can somebody please help me to get this fixed
Current nat config:
interface FastEthernet0
description VLAN1SWITCH
no ip address
!
interface FastEthernet1
description VLAN2
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface GigabitEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip nat outside
ip virtual-reassembly in
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.115.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 10.96.45.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip nat pool LAN_TO_DMZ 10.96.45.96 10.96.45.223 netmask 255.255.255.0
ip nat inside source static tcp 192.168.115.11 80 interface GigabitEthernet0 80
ip nat inside source static tcp 192.168.115.11 443 interface GigabitEthernet0 443
ip nat inside source list 105 interface GigabitEthernet0 overload
ip nat inside source route-map SDM_RMAP_2 pool LAN_TO_DMZ overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 dhcp
!
access-list 104 remark NAT pool DMZ
access-list 104 deny ip 10.96.45.0 0.0.0.255 10.16.0.0 0.0.255.255
access-list 104 permit ip 192.168.115.0 0.0.0.255 any
access-list 105 remark NAT pool INTERNET
access-list 105 deny ip 192.168.115.0 0.0.0.255 10.16.0.0 0.0.255.255
access-list 105 permit ip 192.168.115.0 0.0.0.255 any
!
route-map SDM_RMAP_2 permit 1
match ip address 104
!
03-17-2012 06:03 AM
can you please explain what you trying to achieve with the nat on stick ?
03-17-2012 06:56 AM
I want to be able to use the WAN IP to access the exchange server from the local LAN.
Currently it is only possible to acces the exchange server from the internet with WANIP, but from lan you have to use the LANIP of the server.
Hop this explains my goal.
WAN interface= GigabitEthernet0
LAN interface= VLAN1 on FA0
03-17-2012 11:34 AM
I see the logic of what you're trying to accomplish, but it won't work with NAT. You have an ip nat outside on gi0, and ip nat inside on both fa0 and fa1. One is your Lan devices, the other one is your exchange server. You want to translate your lan devices on fa1 to a 67 address in hopes that the traffic will reach your exchange sever with a source of 67 which is outside.
1. The nat inside on fa1 will translate every device on that vlan mobile devices or not to the 67 address. So devices that were working will not longer work.
2. You're expecting the router to receive a 67 packet from fa1 as a source and resend it right back in to the exchange server that has a 192 address. So if you look at that triangle it's not gonna work no matter how you nat it. Because the router will receive the 67 from fa1, then it won't know what to do with it because it cannot NAT in reverse. NAT = one direction per interface. So it will never translate the 67 to 192, and it will drop the packet.
I can think of one way that will work. It's to do a static nat for the exchange server to a specific 67 address. Not interface gi0. A static that is bidirectional, and I think your scenario will then work.
GL
08-17-2013 07:35 AM
Hello
Why would you want your internal clients to access this internal server by its public ip?
For these clients - maybe add additional public server addresses your existing dns scope
Res
Paul
Sent from Cisco Technical Support iPad App
08-17-2013 02:46 AM
You need to use cisco NAT virtual interface,
Example:
your internal network web server ip 192.168.1.10/24 Fa0 router Fa1 Public Ip address 1.1.1.1
here is what you need to configure in NAT router to resolve your issue:
int fa0
ip nat enable
no ip redirects
int fa 1
ip nat enable
no ip redirects
ip nat source static tcp 192.168.1.10 80 1.1.1.1 80 overload
ip nat source list 1 interface fa0 overload
access-list 1 permit 192.168.1.0 0.0.0.255
now you can try access to your 1.1.1.1:80 from inside network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide