Cisco 837 - how to set up Inside to Inside NAT for DNS resolution?

Hi,

Can anybody help? I need to setup "inside to inside NAT" as described
here:

http://www.cisco.com/en/US/products...rod_release_note09186a0080457818.html#wp67645

I'm running 12.4 on a Cisco 837, and I know this feature is supported
on my image. But I can't work out how to actually implement it! The
quoted page gives an example but is looks like it's for VPN. I want it
to work such that inside the LAN I can access a hosted website (hosted
inside the LAN) via its external DNS name (www.....).

This should get round the need for local HOSTS entries. The important
quote from the page for me is this:


"The purpose of this feature is to provide customers of the Cisco 830
and SOHO 90 routers, with the ability to allow the use of a single DNS
name / DNS server external to the LAN to provide name resolution for
internal servers to internal clients even if NAT is applied and the
NAT global address is the known address from a DNS perspective. "


I'm using my ISP's DNS.

Can anyone suggest what changes I need to make to my config (below)?

Many thanks!



Jim

==============================

!
! Last configuration change at 15:08:32 UTC Tue May 23 2006
! NVRAM config last updated at 14:44:33 UTC Tue May 23 2006
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
enable secret 5 XXXXX
!
aaa new-model
!
!
aaa authentication ppp default local
aaa authorization network default if-authenticated
!
aaa session-id common
!
resource policy
!
!
!
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 10
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.101 192.168.1.254
!
ip dhcp pool JIMDESKTOP
host 192.168.1.101 255.255.255.0
client-identifier 0100.e018.fe31.ff
default-router 192.168.1.1
dns-server 212.104.130.9 212.104.130.65
lease 0 12
!
ip dhcp pool CLIENT
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 212.104.130.9 212.104.130.65
lease 0 12
!
!
ip cef
ip domain name home.lan
ip ssh version 2
login block-for 120 attempts 3 within 120
login delay 3
login on-failure log
login on-success log
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
username jim password 7 XXXXX
!
!
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Ethernet2
no ip address
hold-queue 100 out
!
interface ATM0
description ADSL Broadband Interface
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Ethernet0
ip mroute-cache
peer default ip address pool VPN-CLIENT
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Dialer1
ip address 82.152.XXX.XX 255.255.255.XXX
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 7 XXXXX
ppp pap sent-username password 7 XXXXX
ppp ipcp dns request
ppp ipcp wins request
!
ip local pool VPN-CLIENT 192.168.1.251 192.168.1.254
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.150 25 interface Dialer1 25
ip nat inside source static tcp 192.168.1.150 110 interface Dialer1
110
ip nat inside source static tcp 192.168.1.150 21 interface Dialer1 21
ip nat inside source static tcp 192.168.1.150 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.150 443 interface Dialer1
443
!
!
ip access-list standard SNMP-ALLOWED
permit 192.168.1.101
permit 192.168.1.150
deny any
ip access-list standard SSH-ALLOWED
permit 82.XXX.XXX.XXX
permit 192.168.1.0 0.0.0.255
deny any
!
logging trap debugging
logging 192.168.1.150
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RW SNMP-ALLOWED
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class SSH-ALLOWED in
exec-timeout 120 0
password 7 XXXXX
length 0
transport input ssh
!
scheduler max-task-time 5000
sntp server 212.104.129.221
end

 

notice that in the Cisco configlet they use the command "ip nat enable"
on the interfaces ...

 

Hi Merv,

Yeah, saw that. But it didn't seem to make any difference.

if I have

ip nat enable by itself, I lose the ability to browse from internal
clients. If I have

ip nat enable
ip nat inside

I can browse, but browsing via external DNS still won't work.

Confused!



Jim

 

The URL you give is bogus on what you are trying to do.
If I recall correctly, what you are looking for is the 'extendable' word at
the end of the outbound NAT statement.
Have the word appended to the NAT for the webserver, then your inside hosts
will get DNS doctored.


HTH
Martin Bilgrav

 

Hi Martin, many thanks for taking the time to post.

I tried what you suggested (I think!) but it didn't seem to make much
difference. I added the following command to my existing config:

ip nat inside source static tcp 192.168.1.150 80 82.152.114.61 80
extendable

Everything else seemed to work as before, I could browse the
internally-hosted webserver via domain-name from the internet. But I
still can't browse it by domain name from inside the LAN.

Sorry if I've misunderstood your suggestion, I'm very new to Cisco. I
didn't really understand your "outbound NAT" bit, but I assumed
(probably wrongly) that it was the port-80 NAT.

Any ideas?

Many thanks,



Jim

 

did you 'clear ip nat translation *' ?
How does your cfg looks like now ?

This is just what the line should do. hmm
Are the 82.152.114.61 the IP that the webserver has in the DNS A-record ?
And it is hosted on the internal IP .150 ?

 

Hi Martin,

No, I hadn't run the clear, but I have now and it still hasn't worked
:-(

That's correct. The public DNS entries for the domain point to
82.152.114.61:

http://www.dnsstuff.com/tools/lookup.ch?name=www.jimwillsher.co.uk&type=A

The internal IP is 192.168.1.150

I've copied the entire config below. When I use this config, I cannot
browse www.jimwillsher.co.uk from inside the LAN unless I manually add

192.168.1.150 www.jimwillsher.co.uk

to my hosts file, which I'm trying to avoid. Without this I get a
1-second pause followed by a "page not found" (IE6).

I hope you can spot where I'm going wrong....

Many thanks!



Jim

=================================================

New config


!
! Last configuration change at 11:11:11 UTC Fri May 26 2006 by XXX
! NVRAM config last updated at 11:10:31 UTC Fri May 26 2006 by XXX
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
enable secret 5 XXXXX
!
aaa new-model
!
!
aaa authentication ppp default local
aaa authorization network default if-authenticated
!
aaa session-id common
!
resource policy
!
!
!
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 10
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.101 192.168.1.254
!
ip dhcp pool JIMDESKTOP
host 192.168.1.101 255.255.255.0
client-identifier 0100.dddd.dddd.ff
default-router 192.168.1.1
dns-server XXX.XXX XXX.XXX
lease 0 12
!
ip dhcp pool CLIENT
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server XXX.XXX XXX.XXX
lease 0 12
!
!
ip cef
no ip domain lookup
ip domain name home.lan
ip ssh version 2
login block-for 120 attempts 3 within 120
login delay 3
login on-failure log
login on-success log
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
username XXX password 7 XXXXX
!
!
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Ethernet2
no ip address
hold-queue 100 out
!
interface ATM0
description ADSL Broadband Interface
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Ethernet0
ip mroute-cache
peer default ip address pool VPN-CLIENT
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Dialer1
ip address 82.152.114.61 255.255.255.252
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 7 XXXXX
ppp pap sent-username password 7 XXXXX
ppp ipcp dns request
ppp ipcp wins request
!
ip local pool VPN-CLIENT 192.168.1.251 192.168.1.254
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.150 443 interface Dialer1
443
ip nat inside source static tcp 192.168.1.150 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.150 21 interface Dialer1 21
ip nat inside source static tcp 192.168.1.150 110 interface Dialer1
110
ip nat inside source static tcp 192.168.1.150 25 interface Dialer1 25
!
!
ip access-list standard SNMP-ALLOWED
permit 192.168.1.101
permit 192.168.1.150
deny any
ip access-list standard SSH-ALLOWED
permit 81.168.116.141
permit 82.152.95.189
permit 82.152.232.9
permit 82.152.83.57
permit 82.152.237.153
permit 192.168.1.0 0.0.0.255
deny any
!
logging trap debugging
logging 192.168.1.150
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community XXXXX RW SNMP-ALLOWED
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
transport preferred none
stopbits 1
line aux 0
line vty 0 4
access-class SSH-ALLOWED in
exec-timeout 120 0
password 7 XXXXX
length 0
transport preferred none
transport input ssh
!
scheduler max-task-time 5000
sntp server XXX.221
end







=================================================

sh ver output

Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.4(8),
RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 15-May-06 23:37 by prod_rel_team

ROM: System Bootstrap, Version 12.2(11r)YV3, RELEASE SOFTWARE (fc2)

router uptime is 3 minutes
System returned to ROM by reload at 11:13:05 UTC Fri May 26 2006
System restarted at 11:15:20 UTC Fri May 26 2006
System image file is "flash:c837-k9o3sy6-mz.124-8.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are
unable
to comply with U.S. and local laws, return this product immediately.


A summary of U.S. laws governing Cisco cryptographic products may be
found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email
to
.

Cisco C837 (MPC857DSL) processor (revision 0x600) with 62260K/3276K
bytes of memory.
Processor board ID FCZ093343XZ, with hardware revision 0000
CPU rev number 7
2 Ethernet interfaces
4 FastEthernet interfaces
1 ATM interface
128K bytes of NVRAM.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102

 

Jim has:-

This piqued my interest and I did a bit of reading.

There is a reference (not available to me right now)
on CCO that I read. It talked about getting this behaviour
when using Outside NAT.

Maybe you need to add:-

ip nat OUTSIDE source static interface Dialer1 192.168.1.150

I haven't checked the syntax and you may well
not be allowed the "interface dialer1" bit and have
to use the address instead.

So what will this do to the traffic.
Inbound traffic with Source Address of the dialer will be NATted
such that the source address will be changed to 192.168.1.150.

As far as I can see there will be no such traffic.
So nothing can get broken

Similarly outbound traffic with DA of 192.168.1.150
will get translated to the address of dialer1 interface.
Once more there will be no such traffic passing through the router.


///Additionally///:-
Inbound DNS packet contents will be inspected
and A records containing the address of the Dialer1 interface
will be translated to the address specified in the NAT Outside
statement.

I have not tested or implemented this and have no idea if
it will work but it looked promising in your context.

Please post results, good or bad.

 

I have realised that this is easy for me to test in the case
where the Outside natted address is NOT the adderss of the router.

Anyway. It works.

 

ADSL(config)#ip nat outside source static 155.198.5.83 ?
A.B.C.D Outside local IP address

ADSL(config)#ip nat outside source static 155.198.5.83 172.16.145.200
ADSL(config)#^Z
ADSL#

C:\Documents and Settings\Administrator>ping www.ic.ac.uk
Pinging www.ic.ac.uk [172.16.145.200] with 32 bytes of data:

ADSL#sh run | inc nat
ip nat inside
ip nat inside
ip nat outside
ip nat inside source route-map nonat interface Dialer1 overload
ip nat outside source static 155.198.5.83 172.16.145.200
route-map nonat permit 10

 

Hi, many thanks for picking this one up, much appreciated.

Okay, I tried what you suggested (I think). I entered:

ip nat outside source static 82.152.114.61 192.168.1.150

When I saved the config I noticed this on my consle:

05:14:08: %SYS-5-CONFIG_I: Configured from console by consol
05:14:41: %IP-4-DUPADDR: Duplicate address 192.168.1.150 on Ethernet0,
sourced by 000f.xxxx.xxxx

But the results were not what I had expected. Browsing the domain name
from inside the network now works a treat - excellent! Sadly, browsing
from the internet no longer worked :-(

So I've had to remove the command and now I'm back to the "outside
works, inside doesn't" situation.

I noticed your comment about the DNS and the router. Unfortunately
they are both the same IP, and I can't change. Hence why NAT is in
use.


SO it looked so promising - until I realised external access no longer
worked (page not found).

Can you think of anything else I can try?

Many thanks,



Jim

 

Oh dear. Of course, (well its obvious now the router must
be 'hosting' the address 192.168.1.150 on the inside. I guess
it will respond to arps for that address and is apparently
looking out for duplicates.


I have tried a couple more things here.

ip nat inside source route-map nonat interface Dialer1 overload
ip nat outside source static 155.198.5.83 172.16.145.35

ADSL#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.16.145.37 1 0002.a545.2244 ARPA Ethernet0
Internet 172.16.145.36 77 000d.5e48.0bc7 ARPA Ethernet0
Internet 172.16.145.35 - 0013.1996.5db7 ARPA Ethernet0
Internet 172.16.145.1 - 0013.1996.5db7 ARPA Ethernet0

I had a telnet session from .35 to the router (.1).
As soon as I added the NAT I lost the session.

Whn I ping .35 from .37 the router responds.

C:\Program Files>arp -a

Interface: 192.168.67.249 --- 0x3
Internet Address Physical Address Type
192.168.67.1 00-0b-5f-78-f3-bf dynamic

Interface: 172.16.145.37 --- 0x20002
Internet Address Physical Address Type
172.16.145.1 00-13-19-96-5d-b7 dynamic
172.16.145.35 00-13-19-96-5d-b7 dynamic

C:\Program Files>ping 172.16.145.35 -t

Pinging 172.16.145.35 with 32 bytes of data:

Reply from 172.16.145.35: bytes=32 time=1ms TTL=255
Reply from 172.16.145.35: bytes=32 time=1ms TTL=255
Reply from 172.16.145.35: bytes=32 time=1ms TTL=255


## However

When I use
ip nat outside source static 155.198.5.83 172.16.145.200

I dont get this ARP entry and the router does /not/
respond to a ping for 172.16.145.200.

Weird.

 

Sorry, the netmask was not what I expected.
Local router address is 172.16.145.1/25.
I had assumed /24. I forgot that I had changed it a while back.

 

Whoa, you've lost me So do you think you're onto a winner, or
should I throw the 837 out of the window?

I appreciate your help!


Jim

 

Hi,

Stick with me on this one, Jim - This is the way to do it and it will work.
What we need to do is find out were you go wrong.

....
..

did you omit ACL 102 from your cfg ?
I dont see it anywere

I dont see the
ip nat inside source static 192.168.1.150 82.152.114.61 extendable
line anywhere

Here is what you do:

1. remove ALL you present NAT entries and add the one I sugguested:
C/P this :
cle ip nat trans *
no ip nat inside source static tcp 192.168.1.150 443 interface Dialer1 443
no ip nat inside source static tcp 192.168.1.150 80 interface Dialer1 80
no ip nat inside source static tcp 192.168.1.150 21 interface Dialer1 21
no ip nat inside source static tcp 192.168.1.150 110 interface Dialer1 110
no ip nat inside source static tcp 192.168.1.150 25 interface Dialer1 25
ip nat inside source static 192.168.1.150 82.152.114.61 extendable

This will do it, if you do not get any error msg, cause of ANT in use.


HTH
Martin Bilgrav

 

Also just to make sure add:
ip subnet-zero

 

Hi Martin,

Many thanks for persisting

Before I try it though, won't these lines:

prevent my websites from working? Surely nobody on the WAN will be
able to see them, as by removing these, there's nothing to say that
http (80) is on 192.168.1.150, etc.


Jim

 

yes - correct, but the last line (not in your C/P) brings it back online
instantly, so only current session gets broken as you clear NAT.
no big deal.

 

Sorry, I'm obviosuly being a bit silly here. I just don't want to get
it wrong!

For the avoidance of doubt, I've pasted my *full* running-config
below. I still can't see how my server will be accessible from the web
after I make your changes. We're removing the port 80, port 443 etc
ines, but we're not replacing them with anything. So either nothing
will get to my server, or EVERYTHING will get to my server (DMZ). Or
am I misreading the situation?

Anyway, my *entire* config follows. Thank you *so much* for being so
patient with my clear lack of Cisco skills



=============

!
! Last configuration change at 10:28:19 BST Sun May 28 2006
! NVRAM config last updated at 08:36:36 BST Tue May 30 2006 by XXX
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
enable secret 5 XXXXX
!
aaa new-model
!
!
aaa authentication ppp default local
aaa authorization network default if-authenticated
!
aaa session-id common
!
resource policy
!
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 3:00
!
!
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 10
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.101 192.168.1.254
!
ip dhcp pool JIMDESKTOP
host 192.168.1.101 255.255.255.0
client-identifier 0100.e018.fe31.ff
default-router 192.168.1.1
dns-server 212.104.130.9 212.104.130.65
lease 0 12
!
ip dhcp pool CLIENT
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 212.104.130.9 212.104.130.65
lease 0 12
!
!
ip cef
no ip domain lookup
ip domain name home.lan
ip ssh version 2
login block-for 120 attempts 3 within 120
login delay 3
login on-failure log
login on-success log
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
username XXX password 7 XXXXX
!
!
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Ethernet2
no ip address
hold-queue 100 out
!
interface ATM0
description ADSL Broadband Interface
no ip address
ip nbar protocol-discovery
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Ethernet0
ip mroute-cache
peer default ip address pool VPN-CLIENT
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Dialer1
ip address 82.152.114.61 255.255.255.252
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 7 XXX
ppp pap sent-username password 7 XXX
ppp ipcp dns request
ppp ipcp wins request
!
ip local pool VPN-CLIENT 192.168.1.251 192.168.1.254
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip dns server
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.150 443 interface Dialer1
443
ip nat inside source static tcp 192.168.1.150 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.150 21 interface Dialer1 21
ip nat inside source static tcp 192.168.1.150 110 interface Dialer1
110
ip nat inside source static tcp 192.168.1.150 25 interface Dialer1 25
!
!
ip access-list standard SNMP-ALLOWED
permit 192.168.1.101
permit 192.168.1.150
deny any
ip access-list standard SSH-ALLOWED
permit 81.168.124.101
permit 192.168.1.0 0.0.0.255
deny any
!
logging trap debugging
logging 192.168.1.150
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RW SNMP-ALLOWED
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
transport preferred none
stopbits 1
line aux 0
line vty 0 4
access-class SSH-ALLOWED in
exec-timeout 120 0
password 7 XXXX
length 0
transport preferred none
transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17179402
ntp server 212.104.129.221
end

=============

 

Jim Willsher schrieb:

AFAIR this feature was introduced in 12.3(11)YS and did not make it into
12.4 mainline. It should be in 12.4T train.