NAT to Internal server

isaiahchikuse · ‎11-25-2021

Hie,

I have replace my router from Mikrotik to Cisco.

On the Mikrotik we were able to reach local server (https://my.domain.com)both on LAN and outside the network(NAT).

now after removing the mikrotik router, we are able to reach the server(https://my.domain.com) when we are outside the network. but when we are on LAN we are able to reach the domain using IP of the server instead of the name (https://my.domain.com).

below is the config from mikrokit

Action: masquerade

Chain: scrnat

scr address:10.16.0.0/24

Dst address: 10.10.1.5

dst port: 443

How can we change the above config from mikrotik router and apply them on the cisco router for us to reach the server using (https://my.domain.com).

Your assistance you will be highly appreciated

Regards,

Karsten Iwen · ‎11-25-2021

You could solve this problem with some dirty NAT hacks, but the better way is to return the internal address of the server from your DNS-server when your internal client asked for the FQDN my.domain.com.

paul driver · ‎11-25-2021

Hello
@Karsten Iwen Dirty hack tricks - LOL, I like to think of it as hairpining!
@isaiahchikuse on cisco the most simplistic way apart from DNS dirty tricks (lol...) is to enable domainless NAT

So instead of ip nat inside/outside domains you apply something like following>
int x/x
description wan
no ip nat outside
ip nat enable

int y/y
description LAN
no ip nat inside
ip nat enable

no ip nat inside source list 10 interface x/x
ip nat source list 10 interface x/x

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

isaiahchikuse · ‎11-25-2021

@paul driver we have a pool of IPs and doing NAT Overload.

for user outside the network we are doing port forwarding to the server(my.domain.com)

can the setup you have describe work with NAT Overload and help to achieve this?.

Regards,

Isaiah

paul driver · ‎11-25-2021

Hello Isaiah

FYI -You dont need use domainless (NVI) NAT to accomplish hairpining but it much easier, however if you like to accomplish this with domain NAT then it possible also.

Can you post your current NAT configuration in a file and attach to this post please.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

isaiahchikuse · ‎11-25-2021

Hi @paul driver ,

kindly find the attached

BR,

Isaiah

paul driver · ‎11-26-2021

Hello

Can you confirm you have actual NAT translation as I see a couple issues with you NAT configuration as it is?.

You dynamic pat statement is calling an access-list that doesn't exist < access-list 10)
ip nat inside source list 10 pool pool1-Nat overload

You nat pool looks like its using APIPA which is non routable
ip nat pool pool1-Nat 169.x.x.x 169.x.x.x netmask 255.255.255.0

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

isaiahchikuse · ‎11-26-2021

attached is the NAT translation file...

Karsten Iwen · ‎11-26-2021

BTW: This is what I mean with dirty hack. The config will get even more complex and all this could be avoided with one simple DNS-entry in your DNS server. And a more complex config is a less secure config.