NAT on a Stick

pmcallion · ‎01-15-2007

First an apology as I think this has been covered a few times. However I am having trouble getting it to work for me.

I wish to allow an internal subnet access to a webserver using it's FQDN (Public IP).

The webserver is pinholed through NAT.

All the posts I can find point to the Cisco NAT on a Stick examples.

I can access the webserver via the private IP but need to access the webserver via the public IP.

I don't want to setup a hosts file on each machine or create an internal dns zone to support the clients.

Please could somebody point me in the right direction of a working config.

Internal Subnet: 192.168.0.0/24

IP of Webserver: 192.168.0.10

Public IP: xxx.xxx.xxx.123

Current NAT line: ip nat inside source static tcp 192.168.0.10 80 xxx.xxx.xxx.123 80 extendable

Thanks in advance

dgahm · ‎01-15-2007

Paul,

The easiest way to make this work is to route the public IP server packets to your ISP who will send them back. Then your normal NAT will work.

Is the .123 server address part of the subnet on your external interface? If not, this should be easy. If it is you will need policy based routing to set the next hop address of the ISP router.

Can you post your config?

NAT on a stick uses policy based routing to send packets to a loopback interface that is set as NAT outside. It has the disadvantage of always using process switching.

Dave

pmcallion · ‎01-16-2007

Hi,

Please find attached an edited config,

The .123 is my public IP (not acutally the IP)assinged by my ISP.

.122 is my ADSL modem attached via ethernet

Hope this helps,

Please contact me for me info if needed.

Thanks Again

royalblues · ‎01-16-2007

I see a crypto map applied to the outside interface.

Can you try removing this?

Narayan

pmcallion · ‎01-16-2007

Hi,

The config is edited & forgot to remove that line, please ingore it.

dgahm · ‎01-16-2007

Are you sure that the DNS/LM host solution can't be used?

You are using a single address for both the outside interface and the global NAT address for dynamic and static NAT. With this setup I don't think you will ever get PBR and/or NAT on a stick to work. The only NAT on a stick example I could find was for a totally different scenario.

Here is an example of someone accomplishing what you want to do, but they are using separate addresses for the server NAT and dynamic NAT that are not part of the connected subnet.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Getting%20Started%20with%20LANs&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddd19d2/3#selected_message

Good Luck, Dave

pmcallion · ‎01-17-2007

Hi Dave,

Thanks again for your response.

Unfortunatly the DNS/LM work around doesn't work well as the devices cache the internal IP of the webserver, so when the devices are removed from the company LAN and connect to a 3rd party connection/roaming they fail to connect.

Explaing to the users they have to reboot the devices when they arrive/leave the office is. a solution but I know they'll say "We didn't have to reboot before the new router was installed!!!!"

Trying to explain to our client why their old $100 router will do the trick and a Cisco won't is a task in itself!!!

I appreciate this type of configuration is odd but after doing lots of digging I'm not the only person with this problem, however nobody seems to have a solution.

I'll keep plodding and post if I find anything.

Regards

dennylester · ‎01-20-2007

If you setup an internal DNS server couldn't you set the TTL to some ridculously low number so by the time the client made it to a remote location the cached entry would have expired and require another DNS lookup?

Denny