Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1451
Views
5
Helpful
8
Replies

Problems outbound traffic to my public services with port forwarding/NAT

jorolas2011
Level 1
Level 1

‎05-20-2011 03:01 AM - edited ‎03-06-2019 05:09 PM

Hi all,

I have a common escenario, with a router 881, which "protects" a LAN with NAT. I have some published services in my outside nat interface. One of them is the web server of my company.

Everything is working properly, but access from my inside lan to my company's web page.

We have public DNS, which answers request for my web page with my public IP, as should be. So, when my users use their browser, they try to access my web server from inside to my public IP, which forwards the request to my inside server.

I think Cisco is blocking access to my public IP from my inside lan correctly, but is there any way to allow access to my public services in my public IP for my Lan users? I suppose for security reasons (spoofing and stuff like that) is being blocked.

This is my configuration:

interface FastEthernet4
ip address "public_ip" 255.255.255.248
ip nat outside


interface Vlan1
ip address 192.168.30.1 255.255.255.0
ip nat inside

ip nat inside source list 150 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.30.10 80 interface FastEthernet4 80

access-list 150 permit ip 192.168.10.0 0.0.0.255 any

Could anyone give me a clue?

Thanks in advance

Labels:
0 Helpful
8 Replies 8

Thotsaphon Lueangwattanaphong
Level 7
Level 7

‎05-20-2011 03:18 AM

Edit : Missed understanding

Toshi

0 Helpful

Florin Barhala
Level 6
Level 6

‎05-20-2011 05:11 AM

Hi mate,

Router behaves normal; you just need to create a local DNS zone so inside users will be "directed" to internal IP instead of external IP.

Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to Florin Barhala

‎05-20-2011 05:29 AM

Florin,

     5-point. Seems I did read the topic clearly.

Jorge,

    If you have no internal DNS, this would be a problem to access internal servers with public IP addresses.

Toshi

0 Helpful

jorolas2011
Level 1
Level 1

‎05-23-2011 04:12 AM

Hi, thanks for your answers.

I have an internal DNS, but if I can access my web server on my public IP instead my internal IP, whenever I have problems in my frontend devices (router, firewall, Telco line, etc) I do realize quickly.

Regarding Toshi comment:

"

Hi,
   Seems you've got a Static Public IP Address from ISP.   Please try this for testing.
 
Router(conf)#no ip nat inside source static tcp 192.168.30.10 80 interface FastEthernet4 80
Router(conf)#ip nat inside source static tcp 192.168.30.10 80 *public_ip* 80
 
   If it doesn't work,please post the output of "show ip nat transalation | include 192.168.30.10".
Toshi"

I have tried that solution, and seems it is working fine. 

Thank a lot, 

Best regards, 

Jorge
0 Helpful

Ramon flores
Level 1
Level 1

‎12-20-2011 07:07 AM

I have the same problem with the previous recommendation did not work. From the outside works fine but internal users fail to connect.

#sho ip nat translations tcp | in 192.168.1.9

tcp PUBLIC_IP:8080   192.168.1.9:8080      202.30.130.74:57441   202.30.130.74:57441

tcp PUBLIC_IP:8080   192.168.1.9:8080      202.30.130.74:57443   202.30.130.74:57443

tcp PUBLIC_IP:8080   192.168.1.9:8080      202.30.130.74:57444   202.30.130.74:57444

tcp PUBLIC_IP:8080   192.168.1.9:8080      ---                   ---

I would appreciate any recommendations, thanks

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Ramon flores

‎12-20-2011 08:04 AM

Hi,

if you've got an external DNS with records for your inside server pointing to public IP then by default the router performs DNS doctoring, that is to say that inside users can access the inside server by using the fqdn corresponding to external IP and the router will change the DNS reply from external server to private IP address of the server.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Ramon flores
Level 1
Level 1
In response to cadet alain

‎12-20-2011 09:48 AM

Unfortunately I dont have an ASA / PIX, the router is a cisco 851, dns doctoring is possible?

Thanks for answering

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Ramon flores

‎12-20-2011 11:18 AM

Hi,

Yes it should.

Taken from http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6640/prod_qas0900aecd801ba55a.html

Q. Does Cisco IOS NAT support Domain Name System (DNS) queries?

A. Yes. Cisco IOS NAT will translate the addresses that appear in DNS  responses to name lookups (A queries) and inverse lookups (PTR queries).  Thus, if an outside host sends a name lookup to a DNS server on the  inside, and that server responds with a local address, the NAT code will  translate that local address to a global address. The opposite is also  true. This is how Cisco supports IP addresses overlapping: an inside  host queries an outside DNS server; the response contains an address  that matches the access list specified on the "outside source" command,  so the code translates the outside global address to an outside local  address.
Regards.
Alain
Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card