01-15-2007 09:41 AM - edited 03-05-2019 01:47 PM
First an apology as I think this has been covered a few times. However I am having trouble getting it to work for me.
I wish to allow an internal subnet access to a webserver using it's FQDN (Public IP).
The webserver is pinholed through NAT.
All the posts I can find point to the Cisco NAT on a Stick examples.
I can access the webserver via the private IP but need to access the webserver via the public IP.
I don't want to setup a hosts file on each machine or create an internal dns zone to support the clients.
Please could somebody point me in the right direction of a working config.
Internal Subnet: 192.168.0.0/24
IP of Webserver: 192.168.0.10
Public IP: xxx.xxx.xxx.123
Current NAT line: ip nat inside source static tcp 192.168.0.10 80 xxx.xxx.xxx.123 80 extendable
Thanks in advance
01-15-2007 10:32 AM
Paul,
The easiest way to make this work is to route the public IP server packets to your ISP who will send them back. Then your normal NAT will work.
Is the .123 server address part of the subnet on your external interface? If not, this should be easy. If it is you will need policy based routing to set the next hop address of the ISP router.
Can you post your config?
NAT on a stick uses policy based routing to send packets to a loopback interface that is set as NAT outside. It has the disadvantage of always using process switching.
Dave
01-16-2007 03:55 AM
01-16-2007 08:43 AM
I see a crypto map applied to the outside interface.
Can you try removing this?
Narayan
01-16-2007 11:17 AM
Hi,
The config is edited & forgot to remove that line, please ingore it.
01-16-2007 03:56 PM
Are you sure that the DNS/LM host solution can't be used?
You are using a single address for both the outside interface and the global NAT address for dynamic and static NAT. With this setup I don't think you will ever get PBR and/or NAT on a stick to work. The only NAT on a stick example I could find was for a totally different scenario.
Here is an example of someone accomplishing what you want to do, but they are using separate addresses for the server NAT and dynamic NAT that are not part of the connected subnet.
Good Luck, Dave
01-17-2007 06:09 AM
Hi Dave,
Thanks again for your response.
Unfortunatly the DNS/LM work around doesn't work well as the devices cache the internal IP of the webserver, so when the devices are removed from the company LAN and connect to a 3rd party connection/roaming they fail to connect.
Explaing to the users they have to reboot the devices when they arrive/leave the office is. a solution but I know they'll say "We didn't have to reboot before the new router was installed!!!!"
Trying to explain to our client why their old $100 router will do the trick and a Cisco won't is a task in itself!!!
I appreciate this type of configuration is odd but after doing lots of digging I'm not the only person with this problem, however nobody seems to have a solution.
I'll keep plodding and post if I find anything.
Regards
01-20-2007 09:45 AM
If you setup an internal DNS server couldn't you set the TTL to some ridculously low number so by the time the client made it to a remote location the cached entry would have expired and require another DNS lookup?
Denny
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide