Routing external IPs - Please Help!

robinkochauf · ‎10-14-2010

Hi!

Im new to this forum, and It seems this is the place to go with your cisco questions. I reacently bought a Cisco 1841 and after some configuring I got it running the way I wanted, or at least I thought so...

The scenario:

I bought a IP range 195.xx.yy.16/29 from Versizon where .16 is the network and my cisco is on .17 my web is on .20 and so on.

Verizon told me that they had forwarded the range to my router from their router and, to connect, I would have to make a route to their router first. This was new to me, and this was where the problems began.

Verizons router was on 62.xx.yy.72/30 whitch I later figured out made their router be on .73 and my router should then be on .74.

My internal network was 10.10.10.0/24

All this was very puzzeling to me, but after a couple of hours, I got it working. The cisco had 2 interfaces, so I put my internal switch on 0/0 and the internet on 0/1. The settings I had then was:

interface 0/0: 10.10.10.1/24

interface 0/1: 62.xx.yy.74/30

then I made a Loopback, don't ask me why, but it worked.

Loopback 3: 195.xx.yy.17/29 <- This would me my routers public IP.

Then I figured out that I needed some kind of routing, so I added one like this:

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 62.xx.yy.73 permanent (this is from my config)

Everything actually started working and I then NATed som of the public adresses to differient internal adresses, witch also worked. Amazing

ip nat inside source static 10.10.10.50 195.xx.yy.18
ip nat inside source static tcp 10.10.10.111 22 195.xx.yy.20 22 extendable
ip nat inside source static tcp 10.10.10.111 80 195.xx.yy.20 80 extendable

Everything was fine until today, when I realized that even if everything worked fine from the outside, I could not access my own webpages from the computer I was on. For example:

$curl http://www.my-adress.com (points to 195.xx.yy.20)

this returned: curl: (7) couldn't connect to host.

After a traceroute to my ip/domain, I got this:

traceroute to 195.xx.yy.20 (195.xx.yy.20), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *

and so on...

This is when I realized something was wrong, and after hours of googling this, not knowing where to start, I gave up and tried the Cisco Support Forum.

If anyone could please help me with this, or at least point me in the right direction. Im willing to try a lot of stuff, but my datacenter is a 4 hour drive away, so if I crash the router, there will be some driving to do for the reboot

This is my current config, edited for the web of course:

interface Loopback3
ip address 195.xx.yy.17 255.255.255.248
ip access-group Any in
ip access-group Any out
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
ip address 10.10.10.1 255.255.255.0
ip access-group Any in
ip access-group Any out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-WAN$
ip address 62.xx.yy.74 255.255.255.252
ip access-group Any in
ip access-group Any out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 62.xx.yy.73 permanent
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool Extern1 195.xx.yy.16 195.xx.yy.22 netmask 255.255.255.248
ip nat inside source list 5 interface FastEthernet0/1 overload
ip nat inside source static 10.10.10.50 195.xx.yy.18
ip nat inside source static tcp 10.10.10.111 22 195.xx.yy.20 22 extendable
ip nat inside source static tcp 10.10.10.111 80 195.xx.yy.20 80 extendable
ip nat inside source static tcp 10.10.10.111 8090 195.xx.yy.20 8090 extendable
!

There is more, but I dont know if its relevant?

Thank you for helping me solve this!

Best regards / Robin!

moitani · ‎10-14-2010

Hi Robin,

This is your first post here maybe and it's my first post too to the forum

I've noticed you've created a nat pool Extern1, but you're not actually using this nat pool.

Your nat statement should look like this:

ip nat inside source list 5 pool Extern1 overload

Instead of:

ip nat inside source list 5 interface FastEthernet0/1 overload

- Mohammad

robinkochauf · ‎10-14-2010

Hi Mohammad,

changed it, but then had to NAT the router to 195.xx.yy.17 to be able to connect to the router external IP.

What you say sounds reanonable but it doesn't solve the problem alone. Im thinking of changing the 0/1 interface to 195.xx.yy.17/29, so that the only thing that points to my ISP router, is the ip route 0.0.0.0 > 62.xx.yy.73, but if this fails I will have to wait until tomorrow to reboot the router.

Think I'll wait for some more anwsers first. But I keep your NAT settings for now, because they seem logical

gatlin007 · ‎10-14-2010

If you are attempting to access an internal resource by URL and the name server is providing the public address to internal hosts I think you may have a DNS issue.

Are your DNS servers internal or external? If they are internal simply create an internal DNS entry for your web resource that will be provided to internal hosts. If your DNS servers are external the solution gets more annoying and less scalable.

Chris

robinkochauf · ‎10-14-2010

I don't think it's a DNS problem. I use external DNS servers hosted by my domain provider. But the following:

$curl 195.xx.yy.20
curl: (7) couldn't connect to host

doesn't work as well, and as far as I know this doesn't involve DNS?! Using wget to do the same, it says that the connection is refused by the host.

Just to be clear, all this works just fine from machines outside this network.

Jon Marshall · ‎10-15-2010

robinkochauf wrote:

I don't think it's a DNS problem. I use external DNS servers hosted by my domain provider. But the following:

$curl 195.xx.yy.20
curl: (7) couldn't connect to host

doesn't work as well, and as far as I know this doesn't involve DNS?! Using wget to do the same, it says that the connection is refused by the host.

Just to be clear, all this works just fine from machines outside this network.

The issue is that you are trying to connect to the web servers as though you were on the outside but you are on the inside. So the static NAT statements won't work because you are not hitting the outside interface first. It is, as Christopher mentioned, tied in with DNS as well.

Do you have an internal DNS ? If so the simplest solution is to create internal DNS entries for the servers pointing to their real IP addresses. That way you do not need to worry about the NAT. This is a very common solution ie. internal clients resolve the URLs to internal addresses and external internet users resolve the URLs to their external addresses.

Is there any reason you need internal clients to be able to access these URL by their public IP addresses ?

Jon

robinkochauf · ‎10-15-2010

Ok, I found the solution my self, after a night of googling!

It was not DNS related, and I didn't need any more routes. The problem was that I had mixed static and dynamic NAT, so I got a conflict in the lookup.

I now only have static NAT, and it works like a charm, internal lookup, curl, raceroute and everything. This is my new NAT config:

ip nat inside source static 10.10.10.1 195.xx.yy.17
ip nat inside source static 10.10.10.50 195.xx.yy.18
ip nat inside source static 10.10.10.111 195.xx.yy.19

Stupid simple!

Thanks for all the help and all the sugestions!