cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
865
Views
0
Helpful
2
Replies

Local (Internal) network access to external IP address

TrevorNWatson1
Level 1
Level 1

Hello,

We recently purchased a Cisco 2911 router with an expansion card with 8 ports (VLan1) for our web server (have 6 servers in the cabinet).

We were able to configure the 2911 with the ability for VLan1 to access the internet through GigabitEthernet0/1 and the outside world to access our servers from GigabitEthernet0/1 -> Vlan1 (with all relevant port forwarding)

However, out internal servers cannot access themselves via the external IP address.  Hitting the external IP address still showed the IOS web interface (which we've since disabled on port 80 thinking that might be a problem). 

We need the internal servers to be able to reference themselves via the external IP address (or have NAT rules for the internal traffic on the external port?)

Any reference to the 2.x or 1.x networks can be ignored - it is our local office network and doesn't reflect the current location

Thanks in advance,

    Trevor Watson

The following is our config.

 

Building configuration...

Current configuration : 6053 bytes
!
! Last configuration change at 16:42:31 EDT Sat Jul 5 2014 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname SMS-ROUTER
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 ----
!
no aaa new-model
clock timezone EST -5 0
clock summer-time EDT recurring
!
ip cef
!
!
!
!
!
!
ip domain name smsgateway.ca
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-----
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-----
 revocation-check none
 rsakeypair TP-self-signed-----
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
 subject-name e=sdmtest@sdmtest.com
 revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-----
 certificate self-signed 01
 
        quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO2911/K9 sn ----
!
!
username admin privilege 15 secret 4 -----
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-WAN$
 ip address 192.168.2.201 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description $ETH-EXTERNAL$$ETH-WAN$
 ip address w.x.y.z 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/1/0
 description SMS-DATA$ETH-LAN$
 no ip address
!
interface GigabitEthernet0/1/1
 description SMS-WEB$ETH-LAN$
 no ip address
!
interface GigabitEthernet0/1/2
 no ip address
!
interface GigabitEthernet0/1/3
 no ip address
!
interface GigabitEthernet0/1/4
 no ip address
!
interface GigabitEthernet0/1/5
 no ip address
!
interface GigabitEthernet0/1/6
 no ip address
!
interface GigabitEthernet0/1/7
 no ip address
!
interface Vlan1
 ip address a.b.c.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip nat inside source static tcp a.b.c.15 21 w.x.y.z 21 extendable
ip nat inside source static tcp a.b.c.100 80 w.x.y.z 80 extendable
ip nat inside source static tcp a.b.c.100 443 w.x.y.z 443 extendable
ip nat inside source static tcp a.b.c.20 1433 w.x.y.z 1433 extendable
ip nat inside source static tcp a.b.c.100 1433 w.x.y.z 1450 extendable
ip nat inside source static tcp a.b.c.105 1433 w.x.y.z 1451 extendable
ip nat inside source static tcp a.b.c.20 1433 w.x.y.z 1488 extendable
ip nat inside source static tcp a.b.c.20 5001 w.x.y.z 5001 extendable
ip nat inside source static tcp a.b.c.15 5003 w.x.y.z 5003 extendable
ip nat inside source static tcp a.b.c.55 5011 w.x.y.z 5011 extendable
ip nat inside source static tcp a.b.c.50 5014 w.x.y.z 5014 extendable
ip nat inside source static tcp a.b.c.105 3389 w.x.y.z 5101 extendable
ip nat inside source static tcp a.b.c.100 3389 w.x.y.z 5102 extendable
ip nat inside source static tcp a.b.c.25 7777 w.x.y.z 7777 extendable
ip nat inside source static tcp a.b.c.105 8081 w.x.y.z 8081 extendable
ip nat inside source static tcp a.b.c.105 8087 w.x.y.z 8087 extendable
ip nat inside source static tcp a.b.c.55 8088 w.x.y.z 8088 extendable
ip route 0.0.0.0 0.0.0.0 w.x.y.g 10
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit a.b.c.0 0.0.0.255
access-list 10 permit 192.168.2.113
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit a.b.c.0 0.0.0.255
access-list 15 permit a.b.c.0 0.0.0.255
!
!
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 1.pool.ntp.org
ntp server 0.pool.ntp.org
!
end

2 Replies 2

Hi , 

 For your internal access from your internal server , you are suppose to use real address with service port number  not mapped address ( NAT address) . 

 

If you look at IP NAT translation on your router ,your inside local & inside Global and outside local & outside global 

For any translation you for your internal server via PAT ip address with port number , 

inside global , outside local & outside Local  will be same as your router public IP address /Wan IP address  with difference in port number.  All traffic will sourced and destined for same ip address so it wont work . 

 

HTH

Sandy 

Sorry, I'm not certain I understand. 

Is it that since I have NAT rules created, I cannot do this (as the source and destination are the same?)?  or is my NAT incorrect and I should be using PAT rules to create inbound routes?  or PAT rules that would allow me to do this?

Review Cisco Networking for a $25 gift card