07-07-2014 07:04 AM - edited 03-07-2019 07:57 PM
Hello,
We recently purchased a Cisco 2911 router with an expansion card with 8 ports (VLan1) for our web server (have 6 servers in the cabinet).
We were able to configure the 2911 with the ability for VLan1 to access the internet through GigabitEthernet0/1 and the outside world to access our servers from GigabitEthernet0/1 -> Vlan1 (with all relevant port forwarding)
However, out internal servers cannot access themselves via the external IP address. Hitting the external IP address still showed the IOS web interface (which we've since disabled on port 80 thinking that might be a problem).
We need the internal servers to be able to reference themselves via the external IP address (or have NAT rules for the internal traffic on the external port?)
Any reference to the 2.x or 1.x networks can be ignored - it is our local office network and doesn't reflect the current location
Thanks in advance,
Trevor Watson
The following is our config.
Building configuration...
Current configuration : 6053 bytes
!
! Last configuration change at 16:42:31 EDT Sat Jul 5 2014 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname SMS-ROUTER
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 ----
!
no aaa new-model
clock timezone EST -5 0
clock summer-time EDT recurring
!
ip cef
!
!
!
!
!
!
ip domain name smsgateway.ca
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-----
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-----
revocation-check none
rsakeypair TP-self-signed-----
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-----
certificate self-signed 01
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO2911/K9 sn ----
!
!
username admin privilege 15 secret 4 -----
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-WAN$
ip address 192.168.2.201 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ETH-EXTERNAL$$ETH-WAN$
ip address w.x.y.z 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
description SMS-DATA$ETH-LAN$
no ip address
!
interface GigabitEthernet0/1/1
description SMS-WEB$ETH-LAN$
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface GigabitEthernet0/1/4
no ip address
!
interface GigabitEthernet0/1/5
no ip address
!
interface GigabitEthernet0/1/6
no ip address
!
interface GigabitEthernet0/1/7
no ip address
!
interface Vlan1
ip address a.b.c.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip nat inside source static tcp a.b.c.15 21 w.x.y.z 21 extendable
ip nat inside source static tcp a.b.c.100 80 w.x.y.z 80 extendable
ip nat inside source static tcp a.b.c.100 443 w.x.y.z 443 extendable
ip nat inside source static tcp a.b.c.20 1433 w.x.y.z 1433 extendable
ip nat inside source static tcp a.b.c.100 1433 w.x.y.z 1450 extendable
ip nat inside source static tcp a.b.c.105 1433 w.x.y.z 1451 extendable
ip nat inside source static tcp a.b.c.20 1433 w.x.y.z 1488 extendable
ip nat inside source static tcp a.b.c.20 5001 w.x.y.z 5001 extendable
ip nat inside source static tcp a.b.c.15 5003 w.x.y.z 5003 extendable
ip nat inside source static tcp a.b.c.55 5011 w.x.y.z 5011 extendable
ip nat inside source static tcp a.b.c.50 5014 w.x.y.z 5014 extendable
ip nat inside source static tcp a.b.c.105 3389 w.x.y.z 5101 extendable
ip nat inside source static tcp a.b.c.100 3389 w.x.y.z 5102 extendable
ip nat inside source static tcp a.b.c.25 7777 w.x.y.z 7777 extendable
ip nat inside source static tcp a.b.c.105 8081 w.x.y.z 8081 extendable
ip nat inside source static tcp a.b.c.105 8087 w.x.y.z 8087 extendable
ip nat inside source static tcp a.b.c.55 8088 w.x.y.z 8088 extendable
ip route 0.0.0.0 0.0.0.0 w.x.y.g 10
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit a.b.c.0 0.0.0.255
access-list 10 permit 192.168.2.113
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit a.b.c.0 0.0.0.255
access-list 15 permit a.b.c.0 0.0.0.255
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 1.pool.ntp.org
ntp server 0.pool.ntp.org
!
end
07-07-2014 07:17 AM
Hi ,
For your internal access from your internal server , you are suppose to use real address with service port number not mapped address ( NAT address) .
If you look at IP NAT translation on your router ,your inside local & inside Global and outside local & outside global
For any translation you for your internal server via PAT ip address with port number ,
inside global , outside local & outside Local will be same as your router public IP address /Wan IP address with difference in port number. All traffic will sourced and destined for same ip address so it wont work .
HTH
Sandy
07-08-2014 11:41 AM
Sorry, I'm not certain I understand.
Is it that since I have NAT rules created, I cannot do this (as the source and destination are the same?)? or is my NAT incorrect and I should be using PAT rules to create inbound routes? or PAT rules that would allow me to do this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide