cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2795
Views
15
Helpful
14
Replies
Highlighted
Beginner

Need to Access Apps from Inside network Using public IP

Hi all,

Please help me on this.

We have a Cisco router in our network. We have configured many port forwarding in the router and all are working fine. One of my application is forwarded to the port 8080 from outside to inside.  We can access that application from external network using the Public IP, also we can access the same from inside network using private IP. My requirement is, I need to access the same from inside network using Public IP. How can I do that??

 

Regards,

Ejaz Ahmed

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hello

okay try doman-less nat instead.

here

res

Paul

 

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

14 REPLIES 14
Highlighted
Frequent Contributor

This seems to be a DNS problem, I would think that from inside the DNS server would supply the inside IP address whereas Public users would use Public DNS with the Public IP. Another way would be from inside go out of a different Internet Router, so can be routed back in
Highlighted

Hello

I believe it to do the way Domain NAT works regarding inside and outside nat order.

Accessing the application via the internal subnet is fine as no nat is occurring however when you need to access the same application via its external natted address from within the internel lan itself the way nat is perform could be the problem.

 

My understanding of this may be incorrect, so I hope someone on these forums will be able to validate these next steps:

 

Domain NAT
Inside nat - routing perform before NAT
Outside nat - Nat perform before routing

1) packet is indicted from a inside lan towards a natted outside IP address

2) Outside NAT occurs and  then RIB table lookup is performed then routed to destination inside ip

3 The returning packet performs a RIB table lookup first BEFORE NAT occurs and sees that the destination address is on its local subnet so  nat is NOT initiated on the returning path and routes locally

4) The returning packet will be dropped because by the router sees the returning packet scr address is different then the natted address the router is expecting.

 

Domain-less NAT

2 routing lookups are performed before and after translation so the returning packet will be successful due to these rib lookups and translation being preformed the same in either direction.

 

FYI - I have labbed this up regards Domain-less Nat and it seems to work - please review the attached file.

 

As I have stated this may be incorrect and I hope someone else could validate this.

res

Paul

 

 

 

 

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

Thanks again for the information......:) :) :)

Highlighted

Hi Ejaz,

FYI.

Try using Nat Virtual Interface which could provide a resolutions for your query.

Regards,

Thomas

 

Highlighted
VIP Mentor

Hello

Sounds like Destination NAT could be applicable -  in relation to the order of NAT - however never tried this with domain NAT

inside nat - Routing first
outside nat - Nat occurs first

ip nat outside source static tcp (public-ip) (translated local-ip) 80

ip route (translated local-ip) 255.255.255.255 (public-ip)

 

res

Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

Hi Paul,

Thank you for the reply. I have tried the same, but didn't work....

Regards,

Ejaz

Highlighted

Hello

okay try doman-less nat instead.

here

res

Paul

 

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

Highlighted

Great.....!!!!!!!!!! It worked. Thank you so much Paul for the help. Now I can access the apps with the public IP from inside as well as outside. Many thanks.....

Highlighted

Ejaz,

 

Can you please post the config of the router with the changes in place that allows you to access inside apps using the public ip?

I have the same issue and i just can't make it work... I am missing something and i can't figure it out. My current config is attached.

 

Thanks,

Claudiu

Highlighted

Hi Claudiu,

Just saw your post...

Please see attached the config file.

 

Regards,

Ejaz

 

Highlighted

Thank you Ejaz!!!

i was missing the "no ip redirects" line on my router interfaces. Not sure how this works but now everything is fine.

 

again... Thank you!!!!

Best Regards,

Claudiu

Highlighted

Hi,

 

I am having a similar issue on my network. I needed to access a web application on my internal network from outside. I have ASA version 9 sitting on the inside. Here is my configuration, but it seems not working;

WEBSERVER: HRFOCUS
PUBLIC IP: 80.248.12.189
LOCAL IP: 192.168.16.28
Object network HRFOCUS
host 192.168.16.28
access-list outside-in extended permit ip any host 192.168.16.28
nat (inside,outside) static 80.248.12.178 service tcp 8080 8080
access-group outside-in in outside
 
Kindly assist me on this.
Highlighted
Enthusiast

It's not a DNS problem, as he is connecting via IP!

I suspect the problem is the firewall does not permit port 8080 outbound?

Martin

Highlighted
Beginner

Hi Ejaz,

We have encountered this type of req before and our answer was to use DNS Doctoring.  The below links describe the solution when using the ASA platform.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71704-dns-doctoring-2zones.html

 

Hope this helps.

Cheers,
Merlin