01-11-2013 10:30 PM - edited 03-07-2019 11:03 AM
Hi guys,
Here's my setup:
- Cisco 1841 connected to the internet on fa0/1
- LAN connected to fa0/0/1 (switch port, connected to Vlan1)
On my LAN I have a webserver that houses different websites.
Those websites have DNS records that point to my public IP address, located on fa0/1.
From the outside I can reach the websites perfectly, but I can't reach them from the inside.
So it looks like I can't seem to connect from my local LAN address to the public ip address
on the Cisco (who then should NAT it to the correct server)
Could someone help me solve this issue?
Here is a snippet from my config:
--NAT--
ip nat inside source static tcp 192.168.0.3 80 interface FastEthernet0/1 80
ip nat inside source route-map Internet interface FastEthernet0/1 overload
--OUTSIDE INTERFACE--
interface FastEthernet0/1
description WAN
ip address dhcp
ip access-group WAN-IN in
ip multicast boundary Multicast-Filter
ip nat outside
duplex auto
speed auto
end
--INSIDE INTERFACE--
interface Vlan1
description LAN
ip address 192.168.0.254 255.255.255.0
ip access-group LAN-IN in
ip pim sparse-dense-mode
ip multicast boundary Multicast-Filter
ip nat inside
end
Thanks!
Chris
01-11-2013 11:21 PM
Hi Chris,
This is normal behavior.
When you have two interfaces, one with "ip nat oustide" and the other with "ip nat inside", If a packet hits the "inside" interface with a destination address of "outside" interface, the packet gets dropped (by design) and that's how it works.
I have seen workarounds for this, like PBR ( policy based routing etc ) but they are a little bit tricky and messy.
But there is a new way of configuring NAT called NVI (Nat virtual Interface only supports IOS 12.3(14)T or later ) which can solve your issue. It removes "ip nat inside/outside" commands and uses a different set of configuration.
But you might have to redo your nat configuration.( shouldn't be too hard )
I found this nice article on the internet (Hats off to the author..), it shows you all the steps involved in changing the old NATs to NVI.
http://tech.jocke.no/2010/09/24/cisco-ios-nat-virtual-interface/
Let me know if you have more questions on this one.
Please rate this post if helpful
Shamal
01-11-2013 11:48 PM
Alternatively you may create new A records with the servers' private addresses in your internal DNS server, if you have one.
Sent from Cisco Technical Support Android App
01-12-2013 12:30 AM
Agreed with Dosztal..
or you can change the host records on the PC you are using to connect to the servers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide