Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Internal access to Internal Box via External Address using PAT

Status
Not open for further replies.
exanthus

exanthus

Technical User
Joined
Jun 7, 2004
Messages
4
Location
US
I have setup a SOHO 91 router to replace my Linksys Cable/DSL router. I have configured NAT/PAT(??) on the router so that now my internal FTP, Lotus Domino Server and AS/400 (as well as some others) are working from the outside.

The problem is that I can ONLY get to them from the outside. If I try to use the external address and port from an internal machine it doesnt wrap.

Any ideas??

Here is my config:
Code: 
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption

!
ip subnet-zero
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool office
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 65.x.x.196
!
ip dhcp-server 192.168.1.1
!
!
!
!
interface Ethernet0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 no cdp enable
 hold-queue 100 out
!
interface Ethernet1
 ip address 66.x.x.14 255.255.255.248
 ip access-group 105 in
 ip access-group 106 out
 ip nat outside
 no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static tcp 192.168.1.41 23 66.x.x.14 23 extendable
ip nat inside source static tcp 192.168.1.21 902 66.x.x.14 902 extendable
ip nat inside source static tcp 192.168.1.21 8222 66.x.x.14 8222 extendable
ip nat inside source static tcp 192.168.1.31 85 66.x.x.14 85 extendable
ip nat inside source static tcp 192.168.1.31 84 66.x.x.14 84 extendable
ip nat inside source static tcp 192.168.1.31 83 66.x.x.14 83 extendable
ip nat inside source static tcp 192.168.1.31 82 66.x.x.14 82 extendable
ip nat inside source static tcp 192.168.1.31 1516 66.x.x.14 1516 extendable
ip nat inside source static tcp 192.168.1.31 1515 66.x.x.14 1515 extendable
ip nat inside source static tcp 192.168.1.31 1514 66.x.x.14 1514 extendable
ip nat inside source static tcp 192.168.1.31 1513 66.x.x.14 1513 extendable
ip nat inside source static tcp 192.168.1.31 1512 66.x.x.14 1512 extendable
ip nat inside source static tcp 192.168.1.31 1511 66.x.x.14 1511 extendable
ip nat inside source static tcp 192.168.1.31 1510 66.x.x.14 1510 extendable
ip nat inside source static tcp 192.168.1.31 1509 66.x.x.14 1509 extendable
ip nat inside source static tcp 192.168.1.31 1508 66.x.x.14 1508 extendable
ip nat inside source static tcp 192.168.1.31 1507 66.x.x.14 1507 extendable
ip nat inside source static tcp 192.168.1.31 1506 66.x.x.14 1506 extendable
ip nat inside source static tcp 192.168.1.31 1505 66.x.x.14 1505 extendable
ip nat inside source static tcp 192.168.1.31 1504 66.x.x.14 1504 extendable
ip nat inside source static tcp 192.168.1.31 1503 66.x.x.14 1503 extendable
ip nat inside source static tcp 192.168.1.31 443 66.x.x.14 443 extendable
ip nat inside source static tcp 192.168.1.31 8081 66.x.x.14 8081 extendable
ip nat inside source static tcp 192.168.1.31 1352 66.x.x.14 1352 extendable
ip nat inside source static tcp 192.168.1.31 3389 66.x.x.14 3389 extendable
ip nat inside source static tcp 192.168.1.31 80 66.x.x.14 80 extendable
ip nat inside source static tcp 192.168.1.21 21 66.x.x.14 21 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
no ip http server
!
!
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit tcp any any eq www
access-list 105 permit tcp any any eq 3389
access-list 105 permit tcp any any eq 1352
access-list 105 permit tcp any any eq 8081
access-list 105 permit tcp any any eq 443
access-list 105 permit tcp any any range 1 1503
access-list 105 permit tcp any any range 82 85
access-list 105 permit tcp any any eq 8222
access-list 105 permit tcp any any eq 902
access-list 105 permit tcp any any eq ftp
access-list 105 permit tcp any any eq ftp-data
access-list 105 permit tcp any any gt 1023 established
access-list 105 permit udp any any eq domain
access-list 105 permit icmp any any
access-list 105 permit udp any any gt 1023
access-list 105 permit tcp any any range 6881 6999
access-list 106 permit tcp any any
access-list 106 permit icmp any any
access-list 106 permit udp any any



scheduler max-task-time 5000
end

As you can see I am using the pat commands:
ip nat inside source static tcp 192.x.x.x 21 66.x.x.x 21 extendable

I have also tried using
ip nat inside source static tcp 192.x.x.x 21 Ethernet1

It seems to make absolutely no difference either way..

Thanks for your help in advance.

BWestover

MCSE/MCSA/CNA/A+

"Technically, I am not technical
 
Sort by date Sort by votes
UPDATE: I changed my e1 interface to use a different address on another public subnet entirely, but left my pat translations the same. This should have worked since my overload is now using a different address than PAT, but it made no difference. External still works, but internal is a no go...

Anyone have any info on this at all??

BWestover

MCSE/MCSA/CNA/A+

"Technically, I am not technical
 
Upvote 0 Downvote
why don't you just use the internal ip when on the internal network.
 
Upvote 0 Downvote
Its because one of the clients we use is kind of a bear to reconfigure, and we cant trust users to be able to do it. We have some users who use notebooks inside and outside of the network, so they ideally will use the outside address all the time. Also its an ip instead of a name, so DNS cant help me.
Right now we are using a Linksys, and it is doing the job just fine. I guess I will have to stick with that.

BWestover

MCSE/MCSA/CNA/A+

"Technically, I am not technical
 
Upvote 0 Downvote
you can set up alias that will allow external ips to reference internal ip addresses that way it will stay current. ie

204.2.34.2 aliases 192.168.1.1

this would only work in dns when clients were internal otherwise outside would work.
 
Upvote 0 Downvote
So I set this up on my internal DNS server? Will the DNS even be tapped in this case, since I am using an ip instead of a name? I was under the impression that the DNS only gets hit whilst doing a name lookup...??

OK, lets say Im misguided (probably the case) How exactly does one set up DNS aliases for ip to ip in DNS (lets say MS DNS server for reference)

I really appreciate your help with this workaround, I am curious though if there is any way to make this work the same way as the linksys does now, without any help from a DNS alias...

BWestover

MCSE/MCSA/CNA/A+

"Technically, I am not technical
 
Upvote 0 Downvote
i don't think you can do it in dns. however you can set up the alias on the client or on the router that will be receiving packets.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
401
badwolf1686
B
jobsp90
  • Locked
  • Question Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
520
DavetheChef
DavetheChef
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
557
CPM86
CPM86
Luzbel
  • Locked
  • Question Question
Connecting HVAC controller to network
Replies
0
Views
573
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question Question
how to backup cisco sg500-52p switch
Replies
1
Views
795
madwok
madwok

Part and Inventory Search

Sponsor

Back
Top