08-18-2011 09:24 AM - edited 03-04-2019 01:19 PM
We have the following port forwards set up on a Cisco 800s router.
All internal IP addresses are NATd out to the IP on fa4 which is the external interface. Traffic recieved on fa4 is forwarded to different servers depending on the type of traffic recieved.
We can browse the internal websites from the internet fine, but there is one internal server 192.168.1.7 that uses a db server (192.168.1.5).. it accesses it on its external IP (fa4) on port 1433 but for some reason the connection does not work.. could this be because the source and destination IP addresses are the same IP address?
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.7 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.1.7 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.7 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.1.5 1433 interface FastEthernet4 1433
ip nat inside source static tcp 192.168.1.7 990 interface FastEthernet4 990
08-18-2011 09:33 AM
Hello there.
Your connection is not working because you cannot use the public IP address from the LAN when doing port forwarding. This is limitation on the Routers. You are going to have to use the private IP address or use one of the work arounds mentioned below. See the following note:
** When sitting on the inside LAN segment, you cannot access the internal server
using its Public NATted ip. This is a NAT limitation with routers. You will
have to use the private ip to access that server.
Ping to that Public Ip from inside host might work because Router will respond back for
that ping, not the actual server. And if we use "no-alias" keyword at the end of the static
NAT statement, then even this ping would stop working. And again, this is an expected
behaviour of router.
Possible workarounds to accomplish the above requirement i.e access the internal
server from the same LAN (pre-requisite for this is, use of FQDN to access the server.
By using the public ip, there is no way we can accomplish this):
1. Use one to one static NAT translation for the private ip of the server which will enable
DNS doctoring
2. Use an internal DNS server with the mapping of this host to the private ip
3. Change the host file on the PC's trying to access this server from inside (which generally
is not a feasible solution as there could be many hosts in LAN)
Ref:
https://supportforums.cisco.com/docs/DOC-8936
I hope this helps.
Raga
08-18-2011 09:39 AM
So, 192.168.1.7 is trying to access 192.168.1.5 at port 1433 using its external IP address?
If that's the case, it is not suppose to work.
Here are the possible workarounds that you can apply it in order to reach
those hosts.
WORKAROUND 1:
Instead of using the public IP address, try to access the server through the
private IP address. It's the simplest way to solve this issue.
WORKAROUND 2:
Configure one of your computers as a local DNS server and add a record
stating that the only way to access the server is with the private IP
address. Here is a useful link that explains how to configure a computer as
a private DNS server:
http://technet.microsoft.com/en-us/library/cc750209.aspx
WORKAROUND 3:
There's something else you can do on each PC. You just have to edit a file
that contains ALIAS for certain domain names pointing to an IP address. Of
course, this only works when trying to access a server through the Domain
Name, not with the IP address.
The file is called "hosts". The Windows OS, before asking a DNS for a domain
name checks this file to see if there is a shortcut to know the IP address
belonging to the domain. On Windows 2000 and NT, it is placed in the
following path
C:\WINNT\system32\drivers\etc
On Windows XP, it is placed in the following path.
C:\WINDOWS\system32\drivers\etc
You just need to edit it with NOTEPAD. Here is what you will find when you
open the file:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
This is why if you do a PING LOCALHOST on an MS-DOS window, you are pinging
127.0.0.1.
Other than this, you could try NAT on stick configuration, this may/may not work & is officially supported by Cisco.
Regards,
Amit Aneja
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide