Access from internal hosts to internal servers using external address

Discussion in 'Cisco' started by HangaS, Apr 18, 2007.

  1. HangaS

    HangaS Guest

    Hi,

    I have a Cisco 386 in a NAT configuration.

    Internal (LAN) hosts can access the Internet (WAN) in a NAT'ed fashion
    Internet accesses to the public IP address are correctly forwarded to
    the host specified in the static mapping

    The only problem is that when accessing the public IP from the LAN the
    static mapping is not applied.

    I wanted to be able to access the public IP address from the LAN side
    and have the traffic redirected to the static mapped server as if it
    came from the WAN.

    What am i doing wrong?


    King Regards


    My configuration follows:

    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    !
    hostname c836
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    !
    no aaa new-model
    !
    resource policy
    !
    no ip source-route
    !
    !
    no ip dhcp use vrf connected
    !
    ip dhcp pool CLIENT
    import all
    !
    !
    ip domain name wit-software.com
    ip name-server 212.18.160.133
    no ip bootp server
    !
    isdn switch-type basic-net3
    !
    !
    username XXXXXXXX privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    !
    !
    !
    !
    interface Ethernet0
    description --- 10Mbps connection to LAN ---
    ip address 192.168.15.254 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    no cdp enable
    !
    interface Ethernet2
    no ip address
    shutdown
    !
    interface BRI0
    no ip address
    encapsulation hdlc
    shutdown
    isdn switch-type basic-net3
    isdn point-to-point-setup
    !
    interface ATM0
    no ip address
    atm vc-per-vp 64
    no atm ilmi-keepalive
    dsl operating-mode etsi
    pvc 0/35
    pppoe-client dial-pool-number 1
    !
    !
    interface FastEthernet1
    duplex auto
    speed auto
    !
    interface FastEthernet2
    duplex auto
    speed auto
    !
    interface FastEthernet3
    duplex auto
    speed auto
    !
    interface FastEthernet4
    duplex auto
    speed auto
    !
    interface Dialer0
    ip address negotiated
    ip mtu 1492
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    ppp authentication pap callin
    ppp pap sent-username XXXXXXXXXXXXXXXXXX password 7
    XXXXXXXXXXXXXXXXXX
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !

    no ip http server
    no ip http secure-server
    !

    ip nat inside source list 1 interface Dialer0 overload
    ip nat inside source static 192.168.15.1 interface Dialer0
    !
    access-list 1 permit 192.168.15.0 255.255.255.0
    dialer-list 1 protocol ip permit
    !
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 120 0
    login local
    no modem enable
    stopbits 1
    line aux 0
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    login local
    length 0
    !
    scheduler max-task-time 5000
    no rcapi server
    !
    !
    end
     
    HangaS, Apr 18, 2007
    #1
    1. Advertising

  2. HangaS

    Thrill5 Guest

    I know of no way to do this. NAT only works internal to external, not
    internal to internal.

    Scott

    "HangaS" <> wrote in message
    news:...
    > Hi,
    >
    > I have a Cisco 386 in a NAT configuration.
    >
    > Internal (LAN) hosts can access the Internet (WAN) in a NAT'ed fashion
    > Internet accesses to the public IP address are correctly forwarded to
    > the host specified in the static mapping
    >
    > The only problem is that when accessing the public IP from the LAN the
    > static mapping is not applied.
    >
    > I wanted to be able to access the public IP address from the LAN side
    > and have the traffic redirected to the static mapped server as if it
    > came from the WAN.
    >
    > What am i doing wrong?
    >
    >
    > King Regards
    >
    >
    > My configuration follows:
    >
    > !
    > version 12.4
    > no service pad
    > service tcp-keepalives-in
    > service tcp-keepalives-out
    > service timestamps debug datetime msec localtime show-timezone
    > service timestamps log datetime msec localtime show-timezone
    > service password-encryption
    > !
    > hostname c836
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    > !
    > no aaa new-model
    > !
    > resource policy
    > !
    > no ip source-route
    > !
    > !
    > no ip dhcp use vrf connected
    > !
    > ip dhcp pool CLIENT
    > import all
    > !
    > !
    > ip domain name wit-software.com
    > ip name-server 212.18.160.133
    > no ip bootp server
    > !
    > isdn switch-type basic-net3
    > !
    > !
    > username XXXXXXXX privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    > !
    > !
    > !
    > !
    > interface Ethernet0
    > description --- 10Mbps connection to LAN ---
    > ip address 192.168.15.254 255.255.255.0
    > ip nat inside
    > ip virtual-reassembly
    > no cdp enable
    > !
    > interface Ethernet2
    > no ip address
    > shutdown
    > !
    > interface BRI0
    > no ip address
    > encapsulation hdlc
    > shutdown
    > isdn switch-type basic-net3
    > isdn point-to-point-setup
    > !
    > interface ATM0
    > no ip address
    > atm vc-per-vp 64
    > no atm ilmi-keepalive
    > dsl operating-mode etsi
    > pvc 0/35
    > pppoe-client dial-pool-number 1
    > !
    > !
    > interface FastEthernet1
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet2
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet3
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet4
    > duplex auto
    > speed auto
    > !
    > interface Dialer0
    > ip address negotiated
    > ip mtu 1492
    > ip nat outside
    > ip virtual-reassembly
    > encapsulation ppp
    > ip tcp adjust-mss 1452
    > dialer pool 1
    > dialer-group 1
    > ppp authentication pap callin
    > ppp pap sent-username XXXXXXXXXXXXXXXXXX password 7
    > XXXXXXXXXXXXXXXXXX
    > !
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer0
    > !
    >
    > no ip http server
    > no ip http secure-server
    > !
    >
    > ip nat inside source list 1 interface Dialer0 overload
    > ip nat inside source static 192.168.15.1 interface Dialer0
    > !
    > access-list 1 permit 192.168.15.0 255.255.255.0
    > dialer-list 1 protocol ip permit
    > !
    > !
    > control-plane
    > !
    > !
    > line con 0
    > exec-timeout 120 0
    > login local
    > no modem enable
    > stopbits 1
    > line aux 0
    > line vty 0 4
    > access-class 23 in
    > exec-timeout 120 0
    > login local
    > length 0
    > !
    > scheduler max-task-time 5000
    > no rcapi server
    > !
    > !
    > end
    >
     
    Thrill5, Apr 19, 2007
    #2
    1. Advertising

  3. HangaS

    HangaS Guest

    On Apr 19, 1:34 am, "Thrill5" <> wrote:
    > I know of no way to do this. NAT only works internal to external, not
    > internal to internal.
    >
    > Scott
    >
    > "HangaS" <> wrote in message
    >
    > news:...
    >
    >
    >
    > > Hi,

    >
    > > I have a Cisco 386 in a NAT configuration.

    >
    > > Internal (LAN) hosts can access the Internet (WAN) in a NAT'ed fashion
    > > Internet accesses to the public IP address are correctly forwarded to
    > > the host specified in the static mapping

    >
    > > The only problem is that when accessing the public IP from the LAN the
    > > static mapping is not applied.

    >
    > > I wanted to be able to access the public IP address from the LAN side
    > > and have the traffic redirected to the static mapped server as if it
    > > came from the WAN.

    >
    > > What am i doing wrong?

    >
    > > King Regards

    >
    > > My configuration follows:

    >
    > > !
    > > version 12.4
    > > no service pad
    > > service tcp-keepalives-in
    > > service tcp-keepalives-out
    > > service timestamps debug datetime msec localtime show-timezone
    > > service timestamps log datetime msec localtime show-timezone
    > > service password-encryption
    > > !
    > > hostname c836
    > > !
    > > boot-start-marker
    > > boot-end-marker
    > > !
    > > enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    > > !
    > > no aaa new-model
    > > !
    > > resource policy
    > > !
    > > no ip source-route
    > > !
    > > !
    > > no ip dhcp use vrf connected
    > > !
    > > ip dhcp pool CLIENT
    > > import all
    > > !
    > > !
    > > ip domain name wit-software.com
    > > ip name-server 212.18.160.133
    > > no ip bootp server
    > > !
    > > isdn switch-type basic-net3
    > > !
    > > !
    > > username XXXXXXXX privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    > > !
    > > !
    > > !
    > > !
    > > interface Ethernet0
    > > description --- 10Mbps connection to LAN ---
    > > ip address 192.168.15.254 255.255.255.0
    > > ip nat inside
    > > ip virtual-reassembly
    > > no cdp enable
    > > !
    > > interface Ethernet2
    > > no ip address
    > > shutdown
    > > !
    > > interface BRI0
    > > no ip address
    > > encapsulation hdlc
    > > shutdown
    > > isdn switch-type basic-net3
    > > isdn point-to-point-setup
    > > !
    > > interface ATM0
    > > no ip address
    > > atm vc-per-vp 64
    > > no atm ilmi-keepalive
    > > dsl operating-mode etsi
    > > pvc 0/35
    > > pppoe-client dial-pool-number 1
    > > !
    > > !
    > > interface FastEthernet1
    > > duplex auto
    > > speed auto
    > > !
    > > interface FastEthernet2
    > > duplex auto
    > > speed auto
    > > !
    > > interface FastEthernet3
    > > duplex auto
    > > speed auto
    > > !
    > > interface FastEthernet4
    > > duplex auto
    > > speed auto
    > > !
    > > interface Dialer0
    > > ip address negotiated
    > > ip mtu 1492
    > > ip nat outside
    > > ip virtual-reassembly
    > > encapsulation ppp
    > > ip tcp adjust-mss 1452
    > > dialer pool 1
    > > dialer-group 1
    > > ppp authentication pap callin
    > > ppp pap sent-username XXXXXXXXXXXXXXXXXX password 7
    > > XXXXXXXXXXXXXXXXXX
    > > !
    > > ip classless
    > > ip route 0.0.0.0 0.0.0.0 Dialer0
    > > !

    >
    > > no ip http server
    > > no ip http secure-server
    > > !

    >
    > > ip nat inside source list 1 interface Dialer0 overload
    > > ip nat inside source static 192.168.15.1 interface Dialer0
    > > !
    > > access-list 1 permit 192.168.15.0 255.255.255.0
    > > dialer-list 1 protocol ip permit
    > > !
    > > !
    > > control-plane
    > > !
    > > !
    > > line con 0
    > > exec-timeout 120 0
    > > login local
    > > no modem enable
    > > stopbits 1
    > > line aux 0
    > > line vty 0 4
    > > access-class 23 in
    > > exec-timeout 120 0
    > > login local
    > > length 0
    > > !
    > > scheduler max-task-time 5000
    > > no rcapi server
    > > !
    > > !
    > > end- Hide quoted text -

    >
    > - Show quoted text -



    I thought of having the traffic go outside throught NAT and then come
    back again from de outside as if it was from an external host.
    The source and destination IPon the WAN side would be the same, of
    course. Theoreticly this looks feasable, however I don't know exacly
    how to do it on IOS.

    My goal is to migrate a couple of Linux/IPTables GWs to Ciscos and my
    IOS knowledge is very moderate. I'm more like an IPTable guy.

    I wanted to avoid the Split-DNS solution if possible.
     
    HangaS, Apr 19, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jason
    Replies:
    2
    Views:
    585
    jerome benton
    Jun 29, 2004
  2. Watcher of the Skies

    hosts file and proxy servers

    Watcher of the Skies, Jan 23, 2005, in forum: Computer Support
    Replies:
    10
    Views:
    2,617
    Watcher of the Skies
    Jan 24, 2005
  3. Jim Willsher
    Replies:
    5
    Views:
    6,648
    Jim Willsher
    May 12, 2006
  4. spec
    Replies:
    7
    Views:
    1,358
    Peter
    Jun 5, 2006
  5. Dugg80

    Restricting access to internal hosts

    Dugg80, Nov 12, 2009, in forum: Wireless Networking
    Replies:
    1
    Views:
    759
    Bob Lin \(MS-MVP\)
    Nov 12, 2009
Loading...

Share This Page