Solved: Redirect for Port 80

Rob Cluett · ‎11-07-2012

Those accessing my router from the WAN (GigabitEthernet0/0) over port 80 are redirected to a reverse-proxy (10.10.10.10) hosted internally on the DMZ. This works fine and clients are able to access the web server the reverse-proxy is pointing to.

ip nat inside source static tcp 10.10.10.10 80 interface GigabitEthernet0/0 80

However, those inside the network and accessing the same domain cannot get there. Is there a means to accomplish this for internal users with the router or must this be handled by an application internally (proxy or DNS for example)?

ALIAOF_ · ‎11-07-2012

How about just adding a DNS entry in your Internal DNS server for that domain. So if the name is lets say "web1", when users type "web1" in their browser your internal DNS server points the browser to 10.10.10.10.

View solution in original post

ALIAOF_ · ‎11-07-2012

How are people getting to it from the outside by the IP address? If that is the case I'm assuming people inside are also trying to get to it by typing 10.10.10.10 in their webbrowser? A little network diagram would be helpful.

Rob Cluett · ‎11-07-2012

Externally the domain name is resolving to my WAN IP on Gi0/0. The outbound http request somehow needs to be inspected for a URL match. If the URL matches then it needs to be forwarded directly to the 10.10.10.10 proxy for forwarding to the correct web server. I seem to think I'll need an internal transparent proxy to make that decision and have to forward all internal http requests there first before they are sent to the WAN or directly to the DMZ without going off-net.

I'll attach a diagram to the original post. You could just consider it being a WAN interface and two VLAN's. One for the DMZ 10.10.10.0 and another for the user LAN 192.168.1.0.

ALIAOF_ · ‎11-07-2012

How about just adding a DNS entry in your Internal DNS server for that domain. So if the name is lets say "web1", when users type "web1" in their browser your internal DNS server points the browser to 10.10.10.10.

Rob Cluett · ‎11-07-2012

I seem to think that is the quickest solution too. Transparent proxy would be better served for a larger scale deployment. Just added the host using "ip host somedomain.com 10.10.10.10" since the router is acting as the DNS server/forwarder for internal clients. ping = happy and browser = happy. All is good. Thanks for your input.

C:\Users\Null>ping somedomain.com

Pinging robcluett.com [10.10.10.10] with 32 bytes of data:

Reply from 10.10.10.10: bytes=32 time=1ms TTL=63

Reply from 10.10.10.10: bytes=32 time=3ms TTL=63

Reply from 10.10.10.10: bytes=32 time=1ms TTL=63

Ping statistics for 10.10.10.10:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 3ms, Average = 1ms

ALIAOF_ · ‎11-07-2012

Cool, thank you for the update. Glad that solution worked