Showing results for 
Search instead for 
Did you mean: 

Problems outbound traffic to my public services with port forwarding/NAT


Hi all,

I have a common escenario, with a router 881, which "protects" a LAN with NAT. I have some published services in my outside nat interface. One of them is the web server of my company.

Everything is working properly, but access from my inside lan to my company's web page.

We have public DNS, which answers request for my web page with my public IP, as should be. So, when my users use their browser, they try to access my web server from inside to my public IP, which forwards the request to my inside server.

I think Cisco is blocking access to my public IP from my inside lan correctly, but is there any way to allow access to my public services in my public IP for my Lan users? I suppose for security reasons (spoofing and stuff like that) is being blocked.

This is my configuration:

interface FastEthernet4
ip address "public_ip"
ip nat outside

interface Vlan1
ip address
ip nat inside

ip nat inside source list 150 interface FastEthernet4 overload

ip nat inside source static tcp 80 interface FastEthernet4 80

access-list 150 permit ip any

Could anyone give me a clue?

Thanks in advance

8 Replies 8

Edit : Missed understanding


Florin Barhala
Frequent Contributor
Frequent Contributor

Hi mate,

Router behaves normal; you just need to create a local DNS zone so inside users will be "directed" to internal IP instead of external IP.


     5-point. Seems I did read the topic clearly.


    If you have no internal DNS, this would be a problem to access internal servers with public IP addresses.



Hi, thanks for your answers.

I have an internal DNS, but if I can access my web server on my public IP instead my internal IP, whenever I have problems in my frontend devices (router, firewall, Telco line, etc) I do realize quickly.

Regarding Toshi comment:


   Seems you've got a Static Public IP Address from ISP.   Please try this for testing.

Router(conf)#no ip nat inside source static tcp 80 interface FastEthernet4 80
Router(conf)#ip nat inside source static tcp 80 *public_ip* 80

   If it doesn't work,please post the output of "show ip nat transalation | include".

I have tried that solution, and seems it is working fine.

Thank a lot,

Best regards,


Ramon flores

I have the same problem with the previous recommendation did not work. From the outside works fine but internal users fail to connect.

#sho ip nat translations tcp | in

tcp PUBLIC_IP:8080

tcp PUBLIC_IP:8080

tcp PUBLIC_IP:8080

tcp PUBLIC_IP:8080      ---                   ---

I would appreciate any recommendations, thanks


if you've got an external DNS with records for your inside server pointing to public IP then by default the router performs DNS doctoring, that is to say that inside users can access the inside server by using the fqdn corresponding to external IP and the router will change the DNS reply from external server to private IP address of the server.



Don't forget to rate helpful posts.

Unfortunately I dont have an ASA / PIX, the router is a cisco 851, dns doctoring is possible?

Thanks for answering


Yes it should.

Taken from

Q. Does Cisco IOS NAT support Domain Name System (DNS) queries?

A. Yes. Cisco IOS NAT will translate the addresses that appear in DNS  responses to name lookups (A queries) and inverse lookups (PTR queries).  Thus, if an outside host sends a name lookup to a DNS server on the  inside, and that server responds with a local address, the NAT code will  translate that local address to a global address. The opposite is also  true. This is how Cisco supports IP addresses overlapping: an inside  host queries an outside DNS server; the response contains an address  that matches the access list specified on the "outside source" command,  so the code translates the outside global address to an outside local  address.
Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers