Solved: Nat port forwarding

abolton291078 · ‎12-14-2011

Hi All,

I have a problem where internal hosts cannot access an internal webserver using the routers extrenal interface address which is forwarding to the internal webserver.

If Client1 browsers to xxx.xxx.xxx.xxx then the port redirect works fines, but if the internal client2 try to browse to xxx.xxx.xxx.xxx then they get nothing so internal clients can not access the without using the internal address, is there a way around this?

/---- WebServer (172.16.32.2)
Client1 ---- Internet ---- (fa0/0 xxx.xxx.xxx.xxx) Router1841 (fa0/1 172.16.32.1) ----<
\---- Client2 (172.16.32.100)

IOS version 12.4(10a)

the nat rule

ip nat inside source static tcp 172.16.32.2 80 interface FastEthernet0/1 80
ip nat inside source static tcp 172.16.32.2 443 interface FastEthernet0/1 443

cadet alain · ‎12-14-2011

Hi,

one work around is dns doctoring: you must have a A record for your public IP on an external DNS like Dyndns for example and your user will communicate with the service by name instead of IP.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎12-14-2011

Hi,

it won't work by IP as hairpinning isn't implemented on enterprise model routers from Cisco.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎12-14-2011

Hi,

one work around is dns doctoring: you must have a A record for your public IP on an external DNS like Dyndns for example and your user will communicate with the service by name instead of IP.

Regards.

Alain.

Don't forget to rate helpful posts.

abolton291078 · ‎12-14-2011

Hi,

yes your correct i do access the webserver using a name e.g. www.domain.com so i add a record to point to the internal server, i was curios if there was a better way of do this so services which i use ip address for would work also

cadet alain · ‎12-14-2011

Hi,

it won't work by IP as hairpinning isn't implemented on enterprise model routers from Cisco.

Regards.

Alain

Don't forget to rate helpful posts.

Latchum Naidu · ‎12-14-2011

Hi,

If you want access any of your internal server like weserver or message server from external, you need to register those servers with A record at ISP level with a specific public IP.

Say like your web server is 10.30.30.2, you want access this from internal.

First of all you need to have a specific public IP say 206.206.206.2, this public IP will be register with a name like www.webserver.com as an A record at ISP level.

Now you need to do NAT with your private IP to the above public IP

ip nat inside source static tcp 10.30.30.2 80 206.206.206.2 80

Once the above steps are done, from internet you can access www.webserver.com.
The request first hit the A record which is placed at one ISP, then the ISP will route the request to your public IP (206.206.206.2 which is routed on internet) then this public IP will route the request to your internal web server IP 10.30.30.2 as it is NATED with this IP.

Hope the above clear you and understand.

Please rate the helpfull posts.
Regards,
Naidu.