NAT: Can't access server from internal net

[PilotMike]

Hello all. I have a C1605R with E0 connected to my DSL modem and E1 to a 1548M switch. I have set up NAT outbound and inbound. I can reach the Internet with no problem, however, I am unable contact servers I've added to NAT from the LAN. I've confirmed that people outside can in fact contact the servers.

I'm fairly certain I'm missing a step here, namely how to route back packets from the internal net that are trying to contact the external IP address

e.g.: 10.10.1.5 -> 66.92.251.203:80 when the 10 net is on e0 and 66.92.251.203 is on e1.

Any help would be greatly appreciated!

config:

interface Ethernet0
ip address 66.92.251.120 255.255.255.0 secondary
ip address 66.92.251.203 255.255.255.0
no ip directed-broadcast
ip nat outside
!
interface Ethernet1
ip address 10.10.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source static tcp 10.10.1.2 22 66.92.251.120 22 extendable
ip nat inside source static tcp 10.10.1.6 22 66.92.251.203 22 extendable
ip nat inside source static tcp 10.10.1.6 2401 66.92.251.203 2401 extendable
ip nat inside source static tcp 10.10.1.5 25 66.92.251.203 25 extendable
ip nat inside source static tcp 10.10.1.5 993 66.92.251.203 993 extendable
ip nat inside source static tcp 10.10.1.6 21 66.92.251.203 21 extendable
ip nat inside source static udp 10.10.1.6 20 66.92.251.203 20 extendable
ip nat inside source static udp 10.10.1.5 53 66.92.251.203 53 extendable
ip nat inside source static tcp 10.10.1.6 80 66.92.251.203 80 extendable
ip nat outside source static 10.10.1.0 66.92.251.120
ip classless
ip route 0.0.0.0 0.0.0.0 66.92.251.1
!
access-list 1 permit 10.10.1.0 0.0.0.255

 

[PilotMike]

Just a clarification...

From internal host (say, 10.10.1.6), I can connect to any host on the Internet.
However, I cannot connect to any of my local hosts by using the external IP address. 10.10.1.6 -> 10.10.1.5:25 works fine, but 10.10.1.6 -> 66.92.251.203:25 always times out. Any port for which I've added a NAT rule always fails from internal IPs.

 

[andreyts]

hi
I have the same problem ,
I think somthing missing here

Anybody can help us?

Thank

Best Regards,

Andrey
CCNA

 

[KiscoKid]

This is because from the internal LAN, your traffic is not passing through both the inside and outside NAT interfaces to get to the destination. This means the router will not translate the 66.x.x.x address to its real address.

Usually people just connect to these devices from the LAN using their real address and not the translated address.

From a DNS perspective, you can also create .local domain and populate this with each server's real address. This domain will then only be used by internal clients. External clients will use your real domain whereby each translated server IP address is listed with a 66.x.x.x address.

 

[andreyts]

SO what kind of solution you are sugest ?

Best Regards,

Andrey
CCNA

 

[PilotMike]

Thanks for the reply, Kisco.

With my previous Netopia router I had no problem accessing the servers using the external IP. So, there was some mechanism in place to make the translation successfully. I'd like to create that same mechanism without having to change the structure of DNS.