Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3528
Views
0
Helpful
2
Replies

Public to Private NAT translation

kicken188
Level 1
Level 1

‎11-18-2010 01:14 AM - edited ‎03-06-2019 02:06 PM

Hello, this is probably an easy question but I'm stuck. (all IP address's are fake)

External Block: 70.10.20.0/24

Interal Block: 192.168.10.0/24

I have a server with 192.168.10.50 and everyone in the network, servers and desktops can access this server. On the router I give it a nat translation

ip nat inside source static 192.168.10.50 70.10.20.50 extendable

so the outside world can access it, and they can and all seams to work fine. However, if I am on the private range, I cannot access it using the public IP address. Now, this isn't a major problem, however I cannot solve it so it does expose a lack in my knowledge.

Here some other bits of info that might be useful

ip nat pool ionic-pool 85.159.85.2 85.159.85.2 netmask 255.255.255.128
ip nat inside source list 10 pool ionic-pool overload

access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.11.0 0.0.0.255
access-list 10 permit 192.168.12.0 0.0.0.255
access-list 10 permit 192.168.200.0 0.0.0.255

interface GigabitEthernet0/1.5
description Public Range

encapsulation dot1Q 70
ip address 70.10.20.2 255.255.255.0
ip access-group 101 out
ip nat outside
no ip mroute-cache
standby ip 70.10.20.1
standby priority 120
standby preempt

interface GigabitEthernet0/3.2
description Private Range

encapsulation dot1Q 10 native
ip address 192.168.10.2 255.255.255.0
ip access-group OfficeWebTraffic in
ip nat inside
standby 1 ip 192.168.10.1
standby 1 priority 110
standby 1 preempt
!

Thanks

Labels:
0 Helpful
2 Replies 2

Peter Paluch
Cisco Employee
Cisco Employee

‎11-18-2010 01:26 AM

Hi,

You are actually not supposed to contact your internal server from your internal network by its public IP address. Watch the sequence of steps that happens:

  1. You send a packet to the public IP of your server, sourced from your own internal network.
  2. By virtue of classic IP routing, this packet's destination is outside your network, so it will be sent out through the NAT box
  3. The NAT box notes that this packet is coming from inside to outside, so it rewrites its source IP address, not its destination, and sends it to internet, instead of rerouting it back to your own network

Note that even if the NAT box actually rerouted the packet back, it would create an unnecessary extra hop for all packets between you and the server because the communication would have to go through the NAT box instead of flowing directly.

Best regards,

Peter

0 Helpful

kicken188
Level 1
Level 1
In response to Peter Paluch

‎11-18-2010 01:36 AM

Thank you for your reply, I had a feeling this was what the end answer would be. So essentially, everyone internall uses the internal IP (or even a name pointing to that) and everyone externall uses the external (or DNS entry) and internal will never use external. That's good enough for me, just though I was missing something completly

Thanks for your time

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card