«

Hello all,

I have been struggling with this problem and could use some help. I
have registered a domain and would like to host it myself using only
what I have now: a cisco 831 router, one static IP from my ISP, ADSL
connection, one DNS server. My dialer interface is configed with the
static IP, and my internal network is NATed behind it. I have done a
little research, finding that the best solution is to either do a
split-dns, or set up a DMZ. Both require me to have a second IP and DNS
server, which is not very feasible at this time. Any suggestions to
help this work would be great and highly appreciated.

Dave

In article < .com>,
"Clan Yeti" <> wrote:

> Hello all,
>
> I have been struggling with this problem and could use some help. I
> have registered a domain and would like to host it myself using only
> what I have now: a cisco 831 router, one static IP from my ISP, ADSL
> connection, one DNS server. My dialer interface is configed with the
> static IP, and my internal network is NATed behind it. I have done a
> little research, finding that the best solution is to either do a
> split-dns, or set up a DMZ. Both require me to have a second IP and DNS
> server, which is not very feasible at this time. Any suggestions to
> help this work would be great and highly appreciated.

You don't need a second server to do split DNS. Just use the "views"
feature of BIND 9.x to host different versions of your zone depending on
whether the query is coming from your private network or the Internet.

--
Barry Margolin,
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

I have been running a Cisco 831 on my home network. I
currently have Apache 1.3 installed on my PC. I am using a static PAT
entry in the 831 to point port 80 at my PC. When a port 80 socket
request arrives on the gateway, it is forwarded to my PC. This way, I
do not need a second IP address.

To further complicate matters, I have a dynamic IP address. I
have installed a service on my PC that updates my DNS provider
(ZoneEdit) with the new gateway (public) IP address whenever my router
gets a different static IP address. That client can be purchased for
ten dollars at http://www.sitedevelopers.com. You have to install
Microsoft .NET framework on your PC before you install it, but that
can easily be had from the Microsoft site.

So you see, you don't need a second IP address to run a
Webserver behind your Cisco 831 router. You don't even need a static
IP address to do it. It can be easily done.

Regards,


Fred

When you say "static PAT entry" are you meaning the same as NAT? I have
these entries in there:

ip nat inside static source tcp xxx.xxx.xxx.xxx 80 interface dialer1 80
ip nat inside static source udp xxx.xxx.xxx.xxx 80 interface dialer1 80

I know this may seem rather elementary, but I just want to make sure I
have all the bases covered.

In article < .com>,
Clan Yeti <> wrote:
:When you say "static PAT entry" are you meaning the same as NAT? I have
:these entries in there:

:ip nat inside static source tcp xxx.xxx.xxx.xxx 80 interface dialer1 80
:ip nat inside static source udp xxx.xxx.xxx.xxx 80 interface dialer1 80

"static PAT" is "static Port Address Translation", which is a form
of Network Address Translation.

The entries you have are good examples of static PAT.

I would get rid of the udp line, though -- I've never ever seen
anyone use http over udp in practice.

If you are going to have an DNS server internally, then you would want
to allow in udp 53 (DNS).

Also, if you are going to have outside systems that are allowed to do
DNS Zone Transfers from your inside DNS server [so that they can act as
proper secondary DNS servers for you] then you should also allow in TCP 53.

In theory, any DNS operation could come in via TCP instead of UDP, but
in practice real systems will try UDP first and only switch to TCP if
the returned result has a flag set indicating that the result did not
fit within one 536 byte UDP reply packet. The exception to that is DNS
Zone Transfers: it isn't uncommon for systems to start with TCP for
that, because the size of the result would so often be more than 536
bytes. You do not usually want systems to be able to download all of
your DNS information though [it adds to security risks]. Unless you
might have really big glue records [rare!] then can *in practice* get
away with blocking out TCP 53 except from systems authorized to do zone
transfers from you. Doing so is technically in violation of the RFCs,
but it works.
--
Take care in opening this message: My grasp on reality may have shaken
loose during transmission!

Here is one of the lines. I have other static PAT entries as
well. But this one will forward to private IP address 10.10.10.200
when an http request (port 80) comes in to the public IP address on my
router.

ip nat inside source static tcp 10.10.10.200 80 interface Ethernet1 80

It works rather well.


Fred

Is your eth1 interface your outside or inside interface, this is
another question I was mulling over. My outside interface is dialer1,
should I be pointing it to my inside interface, eth0?

nevermind... I used the help feature to find out the correct way to use
it. Imagine that! A help feature that works...