Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
727
Views
2
Helpful
11
Replies

Access server with public ip from inside lan and outside cisco router

Sharanjeet_Kumar
Level 1
Level 1

ā€Ž12-21-2024 07:55 AM

Hey,

I have a cisco ISR 1921 router, through a switch i have few web servers that i want to access from inside and outside both with public ip 
From inside with local ip -- working

From outside with Public ip (after DNAT) -- working

From Inside with public ip -- NOT WORKING

I saw Video, where from ASA it is possible with Nat Hairpin but i have ISR 1921 router, is this possible with it??

 

 

TIA!!!!

Labels:
11 Replies 11

MHM Cisco World
VIP
VIP

ā€Ž12-21-2024 08:09 AM

If your router accept command 

Ip nat enable 

You can do that if not then sorry you can not. 

Asa is different yoh can easy do that in asa.

MHM

0 Helpful

paul driver
VIP
VIP
In response to MHM Cisco World

ā€Ž12-21-2024 10:37 AM - edited ā€Ž12-21-2024 10:45 AM

Hello @MHM Cisco World 

@MHM Cisco World wrote:

If your router accept command 

Ip nat enable 

You can do that if not then sorry you can not. 

Asa is different yoh can easy do that in asa.

MHM


Apologies your statement is incorrect -  although nvi nat is the most applicable solution its not the only solution, nat hairpining  will work 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the communityā€™s global network.

Kind Regards
Paul
0 Helpful

MHM Cisco World
VIP
VIP
In response to paul driver

ā€Ž12-21-2024 10:45 AM

Sorry Paul 

But NVI is auto add when you use 

Ip nat enable 

Which retrun use to first point is his router support this command or not.

@Sharanjeet_Kumar  check below link for other solution

https://faatech.be/cisco-ios-u-turn-nat-nat-reflection-nat-hairpinning/

MHM

0 Helpful

paul driver
VIP
VIP
In response to MHM Cisco World

ā€Ž12-21-2024 10:48 AM

Hello
As i have stated nvi nat is the most easiest way but if this feature is not available then hairpinning is a solution so yes you can still accomplish accessing an internal web server from the internal network via its public ip address


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the communityā€™s global network.

Kind Regards
Paul
0 Helpful

paul driver
VIP
VIP

ā€Ž12-21-2024 10:43 AM

Hello @Sharanjeet_Kumar 
Please review here


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the communityā€™s global network.

Kind Regards
Paul
0 Helpful

Sharanjeet_Kumar
Level 1
Level 1
In response to paul driver

ā€Ž12-23-2024 09:47 PM

@MHM Cisco World @paul driver 
I tried links shaared by you guys and previous conversations of community that i got in google search but i didn't find any solution and still stucked in same situation.


ip nat enable command on interfaces are working 

HMH!!!

MHM Cisco World
VIP
VIP
In response to Sharanjeet_Kumar

ā€Ž12-23-2024 10:20 PM

https://faatech.be/cisco-ios-u-turn-nat-nat-reflection-nat-hairpinning/

Did you try solution in this link?

If you try and failed share topolgy and last code you use 

MHM

0 Helpful

Sharanjeet_Kumar
Level 1
Level 1
In response to MHM Cisco World

ā€Ž12-28-2024 03:10 AM

Topology is simple:-
ISP/Public IP-->Router-->switch-->PC/WEB-SERVER

Sharanjeet_Kumar_0-1735384183019.png

ip nat source without inside is not available while ip nat enable command is avaialble 

 


Below is my Router configuration 

 

CE-ROUTER#
CE-ROUTER#sh run
Building configuration...

Current configuration : 6658 bytes
!
! Last configuration change at 10:52:39 UTC Sat Dec 28 2024
!
version 17.2
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname CE-ROUTER
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.40.1 192.168.40.9
!
ip dhcp pool LAN
 network 192.168.40.0 255.255.255.0
 default-router 192.168.40.1
 dns-server 8.8.8.8 4.4.4.4
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-445862392
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-445862392
 revocation-check none
 rsakeypair TP-self-signed-445862392
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-445862392
 certificate self-signed 01
  3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34343538 36323339 32301E17 0D323431 32323331 33323431
  335A170D 33303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3434 35383632
  33393230 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02
  82010100 DC631F34 AC3FA157 DAB64F38 0CF43DE6 0ED68B4B BCD8AE53 E05BDD43
  71D51C05 C8319FCE 22DD00D9 AC5CCE31 26A12F06 65710CAB 13FEFD94 9A3D214B
  EDC784E8 A9C1C44C 18F999AC 3DA32BB9 75F3EB43 49C1E83B 71550840 8FBD6CAA
  CB05BD2B 9CD097C6 B1DA8419 BBF1EFF4 8A4AAF81 BE36ED22 FBB643D7 C3D0D74C
  0D5AE1F4 26025212 E4CFECB0 0B270862 8FFBA97B 35A47901 6ACCE98B 366FD782
  5D37C7B2 F73EBF0F 0705851C 98F2E4AB E025A8B3 AD97BBB7 7E8F3E06 DB660DF6
  1549ABD3 1077D3D4 FEE07802 DEE868DC CBC3F4E4 7C4B385A B969E4D3 609D5267
  D94C0ABE 39FDF673 BFFF65C3 A37B1D28 EF364D81 20F3C413 DCA6C74C D29D7B50
  67C78615 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F
  0603551D 23041830 16801433 33840A43 C673718A E83B529C 4BF19031 5A802530
  1D060355 1D0E0416 04143333 840A43C6 73718AE8 3B529C4B F190315A 8025300D
  06092A86 4886F70D 01010505 00038201 0100BF5E 501FD01C CCCA4698 CABACE6C
  7F64587B 2761B743 CA3074C1 58F37BC6 8A4B3F18 59ECD4B1 5A73D939 47DF2F34
  2723E4EF 29883395 DB0D3DE4 79337B62 470E91DD 70EF4A61 2B7B4025 4FD3EA6F
  F6F30760 55F3876C CFC305AA F961233E B441485A B66A45E9 8BDC2C54 73A08A0C
  F9D2AAED 4EA0DDD7 83713AF7 DAF3E638 29E71EAB 633E97F8 BDCAE4E7 B4676E93
  357FB9B8 55F14571 B90F4804 E8A2A946 E5EA05D7 00E72E99 658B1398 C0E3D924
  E2A2DE8B 83E3CB1C F7036DA0 2C297233 00C00BA9 4D38866D 0656937D 87F635C9
  C513615D ED83A197 6DD40EB4 53C3D7E6 6C6454D0 9307D4AE 998019EC 83C8FA7E
  4376BD96 F18034C4 CAB55276 D616CC2B 0B6A
        quit
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
  D697DF7F 28
        quit
!
crypto pki certificate pool
 cabundle nvram:ios_core.p7b
!
!
!
!
!
!
!
!
license udi pid ISRV sn 9A0OXTAPBQ7
diagnostic bootup level minimal
memory free low-watermark processor 70616
!
!
spanning-tree extend system-id
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet1
 ip address 192.168.40.1 255.255.255.0
 ip nat enable
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet2
 ip address dhcp
 ip nat enable
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet3
 no ip address
 shutdown
 negotiation auto
 no mop enabled
 no mop sysid
!
interface GigabitEthernet4
 no ip address
 shutdown
 negotiation auto
 no mop enabled
 no mop sysid
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static tcp 192.168.40.10 2200 192.168.2.105 2200 extendable
ip nat inside source list NAT interface GigabitEthernet2 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet2 dhcp
!
ip access-list standard NAT
 10 permit 192.168.40.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
 transport input ssh
!
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
!
!
!
!
!
end

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Sharanjeet_Kumar

ā€Ž12-28-2024 03:47 AM

Sorry I am busy' hope other VIP can help 

Goodluck 

MHM

0 Helpful

paul driver
VIP
VIP

ā€Ž12-29-2024 07:58 AM

Hello

@Sharanjeet_Kumar wrote:
ip nat enable command on interfaces are working 


So try the following and verify it it works, if not you will need to hairpin using domain nat.

no ip nat inside source static tcp 192.168.40.10 2200 192.168.2.105 2200 extendable
no ip nat inside source list NAT interface GigabitEthernet2 overload

ip nat source list NAT interface GigabitEthernet2 overload
ip nat source static tcp 192.168.40.10 2200 192.168.2.105 2200


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the communityā€™s global network.

Kind Regards
Paul
0 Helpful

Sharanjeet_Kumar
Level 1
Level 1
In response to paul driver

ā€Ž12-30-2024 11:48 PM

IP NAT enable command is working but ip nat source (without inside not working)

Sharanjeet_Kumar_0-1735631245281.png

 

Perhaps domain nat we can do but with domain nat it is not working

0 Helpful
Customers Also Viewed These Support Documents