10-07-2012 11:53 PM - edited 03-04-2019 05:47 PM
Dear Techies,
I am facing wierd problem at one of my client office, We have replaced small business router cisco RV042 with Cisco ISR router 2911, in that router we have configured NAT to allow internal user to access internet and port forwarding for outside user to access web servers and other application that are hosted internally.
we are not able to access www.test.com (name changed) from internally and one of the application that are runnning on port no. 8280., and same is working properly from outside the network.other application that running on 8287 is accessible form internally.
We are accessing with ip address http://192.168.1.51:8280. and www.test.com not working from inside.
But all works fine with old cisco RV042.
i am attaching both router config for reference, Please advice.
Thanks in Advance.
Hardik.
10-08-2012 07:31 AM
Hello Hardik,
this quite a common question/issue
Cisco routers implement NAT in such a way that the web server should be accessed using the private IP address from the inside
>> We are accessing with ip address
If this is acceptable to you and your users no further actions are required.
Edit:
I would remove the following command from internet facing interfaces as NAT is performed on each
>>ip load-sharing per-packet
so load balancing per packet has no sense here.
Hope to help
Giuseppe
10-08-2012 10:01 PM
Hi, Giuseppe
Yes we have removed the command ip load-sharing per-packet on both WAN interface, the problem is we are able to telnet on 192.168.1.51 on port no. 8280 from LAN, but when we access from web brower to use the application with URL http://192.168.1.51:8280 is is not working.
Same problem we are facing with www.test.com but that have solved with host entry on user machine.
can you explain what measure we can take to access with private ip 192.168.1.51:8280 from inside LAN. There is no any other vlan. server and users connected to same switch. we also replace the switch to check.
thanks,
hardik.
10-08-2012 11:20 PM
Hardik
What have you got in your internet proxy exceptions?
If you are able to get there by telnet then this is the only other thing it could possibly be ...
Ryan
10-08-2012 11:49 PM
Hi Ryan,
No, We dont have any proxy in between, Yes i am able to get there with telnet on mentioned port, But via Web Page we cant access this application.
We are also searching for that other thing.
Thanks,
Hardik.
10-08-2012 11:54 PM
hardik
What I meant was in your internet browser what have you got in your internet exceptions tab?
You should have 192.168.*.* for this to work ...
Ryan
10-09-2012 12:00 AM
Hi Ryan,
Sorry, I am not getting what you are saying, can u explain in detail.
for your reference we are using firefox.
Thanks,
Hardik.
10-09-2012 12:45 AM
Hi,
I think with what you describe that it is more a browser problem than a router problem.
clear your cache and verify your connection parameters in firefox.
Regards.
Alain
Don't forget to rate helpful posts.
10-10-2012 04:20 PM
If I understand you correctly you are trying to implement "NAT Hairpin". Meaning you are trying to access an internal server using the external IP address.
You have a few options, if you have an internal DNS server, simply create an A Record for www.test.com to the internal IP address.
If you do not have an internal DNS server you could look at implementing NAT NVI (ip nat enable) instead of traditional NAT (ip nat inside/outside)
NAT NVI supports hairpinning, as the order of operation is different.
NOTE: I have not tested this, make sure you backup your original configuration, in case this does not work.
Enable the Router Interfaces for NVI instead of Traditional NAT
interface GigabitEthernet0/0
no ip nat outside
ip nat enable
no ip redirects
interface GigabitEthernet0/1
no ip nat outside
ip nat enable
no ip redirects
interface GigabitEthernet0/2
no ip nat inside
ip nat enable
no ip redirects
Remove Traditional NAT Statements and replace with NVI NAT Statements
no ip nat inside source route-map isp1 interface GigabitEthernet0/0 overload
no ip nat inside source route-map isp2 interface GigabitEthernet0/1 overload
no ip nat inside source static tcp 192.168.1.51 80 49.248.102.45 80 extendable
no ip nat inside source static tcp 192.168.1.51 3389 49.248.102.45 3389 extendable
no ip nat inside source static tcp 192.168.1.51 8280 49.248.102.45 8280 extendable
no ip nat inside source static tcp 192.168.1.51 8281 49.248.102.45 8281 extendable
no ip nat inside source static tcp 192.168.1.51 8282 49.248.102.45 8282 extendable
no ip nat inside source static tcp 192.168.1.51 8283 49.248.102.45 8283 extendable
no ip nat inside source static tcp 192.168.1.51 8284 49.248.102.45 8284 extendable
no ip nat inside source static tcp 192.168.1.51 8285 49.248.102.45 8285 extendable
no ip nat inside source static tcp 192.168.1.51 8286 49.248.102.45 8286 extendable
no ip nat inside source static tcp 192.168.1.51 8287 49.248.102.45 8287 extendable
no ip nat inside source static tcp 192.168.1.51 80 182.73.64.66 80 extendable
no ip nat inside source static tcp 192.168.1.51 3389 182.73.64.66 3389 extendable
no ip nat inside source static tcp 192.168.1.51 8280 182.73.64.66 8280 extendable
no ip nat inside source static tcp 192.168.1.51 8281 182.73.64.66 8281 extendable
no ip nat inside source static tcp 192.168.1.51 8282 182.73.64.66 8282 extendable
no ip nat inside source static tcp 192.168.1.51 8283 182.73.64.66 8283 extendable
no ip nat inside source static tcp 192.168.1.51 8284 182.73.64.66 8284 extendable
no ip nat inside source static tcp 192.168.1.51 8285 182.73.64.66 8285 extendable
no ip nat inside source static tcp 192.168.1.51 8286 182.73.64.66 8286 extendable
no ip nat inside source static tcp 192.168.1.51 8287 182.73.64.66 8287 extendable
no ip nat inside source static tcp 192.168.1.52 3390 182.73.64.66 3390 extendable
no ip nat inside source static tcp 192.168.1.43 90 182.73.64.66 90 extendable
no ip nat inside source static tcp 192.168.1.43 8000 182.73.64.66 8000 extendable
ip nat source route-map isp1 interface GigabitEthernet0/0 overload
ip nat source route-map isp2 interface GigabitEthernet0/1 overload
ip nat source static tcp 192.168.1.51 80 49.248.102.45 80 extendable
ip nat source static tcp 192.168.1.51 3389 49.248.102.45 3389 extendable
ip nat source static tcp 192.168.1.51 8280 49.248.102.45 8280 extendable
ip nat source static tcp 192.168.1.51 8281 49.248.102.45 8281 extendable
ip nat source static tcp 192.168.1.51 8282 49.248.102.45 8282 extendable
ip nat source static tcp 192.168.1.51 8283 49.248.102.45 8283 extendable
ip nat source static tcp 192.168.1.51 8284 49.248.102.45 8284 extendable
ip nat source static tcp 192.168.1.51 8285 49.248.102.45 8285 extendable
ip nat source static tcp 192.168.1.51 8286 49.248.102.45 8286 extendable
ip nat source static tcp 192.168.1.51 8287 49.248.102.45 8287 extendable
ip nat source static tcp 192.168.1.51 80 182.73.64.66 80 extendable
ip nat source static tcp 192.168.1.51 3389 182.73.64.66 3389 extendable
ip nat source static tcp 192.168.1.51 8280 182.73.64.66 8280 extendable
ip nat source static tcp 192.168.1.51 8281 182.73.64.66 8281 extendable
ip nat source static tcp 192.168.1.51 8282 182.73.64.66 8282 extendable
ip nat source static tcp 192.168.1.51 8283 182.73.64.66 8283 extendable
ip nat source static tcp 192.168.1.51 8284 182.73.64.66 8284 extendable
ip nat source static tcp 192.168.1.51 8285 182.73.64.66 8285 extendable
ip nat source static tcp 192.168.1.51 8286 182.73.64.66 8286 extendable
ip nat source static tcp 192.168.1.51 8287 182.73.64.66 8287 extendable
ip nat source static tcp 192.168.1.52 3390 182.73.64.66 3390 extendable
ip nat source static tcp 192.168.1.43 90 182.73.64.66 90 extendable
ip nat source static tcp 192.168.1.43 8000 182.73.64.66 8000 extendable
10-11-2012 10:17 PM
Hi Guys,
Thanks for your participation, Will check and conform.
Thanks,
Hardik.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide