04-05-2008 07:45 AM - edited 03-05-2019 10:12 PM
Hi ,
I have the following problem:
The servers are given public ip addresses so to be available from outside. It works just fine but when clients that are on the same network e.g.
10.0.0.0/16 want to connect to them via public address 78.x.x.x connection is refused. Seems silly cause I can ping the servers from these hosts. Moreover all can connect to the servers over inside network 10.0.0.0/16.
I wasted 6h looking for a solution and nothing.
I hace 2811 router and it's all i have - I do not have internal dns,
I would appreciate your help,
Gabriel
config:
no aaa new-model
!
resource policy
!
!
!
ip cef
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 10.2.0.0 10.255.255.255
ip dhcp excluded-address 10.0.0.1 10.0.255.255
!
ip dhcp pool mypool
network 10.0.0.0 255.0.0.0
dns-server 10.0.0.254
default-router 10.0.0.254
lease 7
!
!
ip name-server 213.xxx.xxx.xxx
ip name-server 82.xxx.xxx.xxx
!
!
!
voice-card 0
no dspfarm
!
interface FastEthernet0/0
ip address 78.xxx.xxx.xxx 255.255.255.224
ip access-group inbound in
ip access-group outbound out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.254 255.0.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
ip route 0.0.0.0 0.0.0.0 78.xxx.xxx.xxx
!
!
ip http server
no ip http secure-server
ip dns server
ip nat pool mypool 78.xxx.xxx.xxx 78.xxx.xxx.xxx netmask 255.255.255.224
ip nat inside source list 1 pool mypool overload
ip nat inside source static 10.0.0.1 xxx.xxx.xxx.98
ip nat inside source static 10.0.0.2 xxx.xxx.xxx.99
!
ip access-list extended inbound
permit tcp any host xxx.xxx.xxx.98 eq www
permit tcp any host xxx.xxx.xxx.98 eq 5544
permit tcp any host xxx.xxx.xxx.98 eq ftp
permit tcp any host xxx.xxx.xxx.98 eq smtp
permit tcp any host xxx.xxx.xxx.98 eq 443
permit tcp any host xxx.xxx.xxx.99 eq 5545
permit tcp any host xxx.xxx.xxx.126 eq telnet
permit udp any eq domain any
evaluate nattraffic
ip access-list extended outbound
permit ip any any reflect nattraffic
!
access-list 1 permit 10.0.0.0 0.255.255.255
snmp-server community public RO
!
!
!
!
!
dnsix-nat source 10.0.0.254
!
control-plane
!
x.x.x.98 and 99 are the public addresses of the servers and
10.0.0.1 and 10.0.0.2 their internals ( there are quite a few services on them )
04-05-2008 01:54 PM
Gabriel,
If I understand correctly you want a host on the inside (e.g 10.0.0.1) to connect to destination 77.x.x.98 (real addr 10.0.0.98), by using NAT to translate the destination from 77.x.x.98 to 10.0.0.98.
What you are attempting to do here is Source & Destination NAT on the same interface (inbound & outbound), this is not possible in this case.
The ICMP replies you recieve are from the NAT router and not from the destination server. Use 'debug ip icmp' on the NAT router to see the ICMP return created by the router.
The destination address does not get translated, if you try a connection to 77.x.x.98 www from inside and look at 'sh ip nat trans' and 'debug ip packet' (use an acl filter !!) you will see that your source addr has been translated (due to PAT config) but not your destination addr, the dest will still be the 77.x.x.98 address, not the local 10.x.x.98 address.
You say you don't have an internal DNS, IOS has an inbuilt DNS which you could use for internal requests and have other requests (non authoritive) forwarded on to external DNS.
Regards,
Simon
04-06-2008 02:27 PM
Well to be precise Simon it is that :
I want the hosts behind NAT - all of them, to be able to reach others in the internal network via public addresses so for example assuming I have the web server 10.0.0.1 which is translated -> 79.10.0.1 , Now from outside I can reach him by http://79.10.0.1 and from inside http://10.0.0.1 ,trying http://79.10.0.1 from host e.g. 10.0.0.2 fails! If I can set it up somehow (DNS alias?) I would be grateful for any hints,
Regards,
Gabriel
04-07-2008 09:10 AM
Gabriel,
That's what I thought you were trying to do. As far as DNS alias on IOS, DNS is translated using static NAT but again not on the same interface, which is where we get the problem, and no specific DNS alias/doctoring as on the PIX/ASA.
Can I ask why you want your inside users to use the public address ?, is this an application requirement ?
Can your users use a url instead ?
Would a DNS resolver be a solution ? - As I mentioned you could have your IOS box running DNS and forward DNS requests to your ISP/?? DNS on the internet for resolution of hosts on the public internet.
There are some other options such as NAT on a stick, two internal subnets from subinterfaces, but these both requires readdressing internally which I assume you want to avoid ?
Regards,
04-07-2008 10:59 PM
No ,if I can avoid DNS it would be fine for I have an initial setup and readressing is ok. I do not have a dns server and I would prefer not to use router for that purpose as I heard it can slow down the network. Users on the internal network have to access web site via domain name e.g. http://mysite.com and e-mail servers also.
How to do two way nat ?
04-08-2008 12:22 AM
I did setup it with dns on the router:
Now I can do:
$telnet site.com 80
from inside host and i open the connection successfully but when I issue:
GET /
I get 302 error file moved to x1.site-xxx.com
Issuing the same from outside works fine server returns root document
Is it router or server problem?
04-08-2008 12:32 AM
I added ip host www.site.com 10.0.0.1 and it works should it?? Ok it should not , what abou an error?
04-08-2008 12:53 AM
You will need a DNS entry for x1.site-xxx.com 10.0.0.x as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide