cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1664
Views
5
Helpful
8
Replies

Problems outbound traffic to my public services with port forwarding/NAT

jorolas2011
Level 1
Level 1

Hi all,

I have a common escenario, with a router 881, which "protects" a LAN with NAT. I have some published services in my outside nat interface. One of them is the web server of my company.

Everything is working properly, but access from my inside lan to my company's web page.

We have public DNS, which answers request for my web page with my public IP, as should be. So, when my users use their browser, they try to access my web server from inside to my public IP, which forwards the request to my inside server.

I think Cisco is blocking access to my public IP from my inside lan correctly, but is there any way to allow access to my public services in my public IP for my Lan users? I suppose for security reasons (spoofing and stuff like that) is being blocked.

This is my configuration:

interface FastEthernet4
ip address "public_ip" 255.255.255.248
ip nat outside


interface Vlan1
ip address 192.168.30.1 255.255.255.0
ip nat inside

ip nat inside source list 150 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.30.10 80 interface FastEthernet4 80

access-list 150 permit ip 192.168.10.0 0.0.0.255 any

Could anyone give me a clue?

Thanks in advance

8 Replies 8

Edit : Missed understanding

Toshi

Florin Barhala
Level 6
Level 6

Hi mate,

Router behaves normal; you just need to create a local DNS zone so inside users will be "directed" to internal IP instead of external IP.

Florin,

     5-point. Seems I did read the topic clearly.

Jorge,

    If you have no internal DNS, this would be a problem to access internal servers with public IP addresses.

Toshi

jorolas2011
Level 1
Level 1

Hi, thanks for your answers.

I have an internal DNS, but if I can access my web server on my public IP instead my internal IP, whenever I have problems in my frontend devices (router, firewall, Telco line, etc) I do realize quickly.

Regarding Toshi comment:

"

Hi,
   Seems you've got a Static Public IP Address from ISP.   Please try this for testing.

Router(conf)#no ip nat inside source static tcp 192.168.30.10 80 interface FastEthernet4 80
Router(conf)#ip nat inside source static tcp 192.168.30.10 80 *public_ip* 80

   If it doesn't work,please post the output of "show ip nat transalation | include 192.168.30.10".
Toshi"

I have tried that solution, and seems it is working fine.

Thank a lot,

Best regards,

Jorge

Ramon flores
Level 1
Level 1

I have the same problem with the previous recommendation did not work. From the outside works fine but internal users fail to connect.

#sho ip nat translations tcp | in 192.168.1.9

tcp PUBLIC_IP:8080   192.168.1.9:8080      202.30.130.74:57441   202.30.130.74:57441

tcp PUBLIC_IP:8080   192.168.1.9:8080      202.30.130.74:57443   202.30.130.74:57443

tcp PUBLIC_IP:8080   192.168.1.9:8080      202.30.130.74:57444   202.30.130.74:57444

tcp PUBLIC_IP:8080   192.168.1.9:8080      ---                   ---

I would appreciate any recommendations, thanks

Hi,

if you've got an external DNS with records for your inside server pointing to public IP then by default the router performs DNS doctoring, that is to say that inside users can access the inside server by using the fqdn corresponding to external IP and the router will change the DNS reply from external server to private IP address of the server.

Regards.

Alain.

Don't forget to rate helpful posts.

Unfortunately I dont have an ASA / PIX, the router is a cisco 851, dns doctoring is possible?

Thanks for answering

Hi,

Yes it should.

Taken from http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6640/prod_qas0900aecd801ba55a.html

Q. Does Cisco IOS NAT support Domain Name System (DNS) queries?

A. Yes. Cisco IOS NAT will translate the addresses that appear in DNS  responses to name lookups (A queries) and inverse lookups (PTR queries).  Thus, if an outside host sends a name lookup to a DNS server on the  inside, and that server responds with a local address, the NAT code will  translate that local address to a global address. The opposite is also  true. This is how Cisco supports IP addresses overlapping: an inside  host queries an outside DNS server; the response contains an address  that matches the access list specified on the "outside source" command,  so the code translates the outside global address to an outside local  address.
Regards.
Alain
Don't forget to rate helpful posts.
Review Cisco Networking for a $25 gift card