problems with cisco NAT

[mmorgensen]

i am running NAT on my 2611 with a single public ip (for simplicity 1.1.1.1 public ip and 10.10.10.1 internal ip), I have port 53 and 80 forwarded to my internal server 10.10.10.10.

If a client on my internal network accesses the 1.1.1.1 address on port 80, the web browser times out and nothing works. Requests from the outside work 100%, requests from the internal network to any other address on the internet work fine. My internal network is routed thru the mentioned router 10.10.10.1

Any ideas how to make this work? i have several DNS entries that are set up to point the outside IP of the router so clients can access, however using the same URL fails when access internally. I do NOT want to set up 2 dns servers, nor two zones.

In short :
Client 10.10.1.99 does a DNS lookup, which points to 1.1.1.1. On router 1.1.1.1 port 80 is forwarded to 10.10.1.10 ( on the same network as the requestor) So the packets make a big U turn. But it's not working

I have to be doing something wrong; I had this working for a client using a linksys router....something as powerful as the cisco must be able to have this feature.

 

[mmorgensen]

here is my config.


ip domain-name corp.onedown.net
ip dhcp excluded-address 10.10.1.1 10.10.1.50
!
ip dhcp pool onedown.2
network 10.10.2.0 255.255.255.0
domain-name corp.onedown.net
dns-server 10.10.1.10 64.34.4.36
default-router 10.10.2.1
!
!
!
!
interface FastEthernet0/0
ip address 67.x.x.101 255.255.255.252
ip nat outside
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description Inside Interface
ip address 10.10.2.1 255.255.255.0 secondary
ip address 10.10.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
no cdp enable
!
ip nat pool ONEDOWN 67.x.x.101 67.x.x.101 prefix-length 30
ip nat inside source list 1 pool ONEDOWN overload
ip nat inside source static tcp 10.10.1.20 21 67.x.x.101 21 extendable
ip nat inside source static tcp 10.10.1.20 20 67.x.x.101 20 extendable
ip nat inside source static tcp 10.10.1.10 3389 67.x.x.101 3389 extendable
ip nat inside source static tcp 10.10.1.10 143 67.x.x.101 143 extendable
ip nat inside source static tcp 10.10.1.10 110 67.x.x.101 110 extendable
ip nat inside source static tcp 10.10.1.10 25 67.x.x.101 25 extendable
ip nat inside source static tcp 10.10.1.10 53 67.x.x.101 53 extendable
ip nat inside source static udp 10.10.1.10 53 67.x.x.101 53 extendable
ip nat inside source static udp 10.10.1.10 53 67.x.x.101 53 extendable
ip nat inside source static tcp 10.10.1.10 8080 67.x.x.101 8080 extendable
ip nat inside source static tcp 10.10.1.10 80 67.x.x.101 80 extendable
ip nat inside source static tcp 10.10.1.10 5631 67.x.x.101 5631 extendable
ip nat inside source static udp 10.10.1.10 5632 67.x.x.101 5632 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 67.x.x.102
no ip http server
!
access-list 1 permit 10.10.1.0 0.0.0.255
access-list 1 permit 10.10.2.0 0.0.0.255

 

[hexn]

I think the problem lies in that your when the request to the webserver leaves your machine (lets say you are 10.10.10.2) and goes to 1.1.1.1, then you are natted, but when the packet goes back out your lan interface, you are denatted, and so what happens is the webserver of 10.10.10.1 is replying to 10.10.10.2, but .2 is waiting for a reply from 1.1.1.1.

Do you understand? In other words, the nat is working exaclty like it should. Your computer will drop the replies because they are coming from an unknown IP.

 

[ccie9545]

when you try and make the connection what is the output of the show nat translations? it might be show ip nat translations....brain lapse.....

i would say that the problem lies in the fact that you are trying to do all of this with a single public IP address.

One solution that you could try is rather than using the DNS server, you could configure the hosts file on the clients with an entry for that server. For example, say the server's public ip is 1.1.1.1, and the web url is

http://www.yahoo.com,

and DNS maps to that address. Rather than having to go throught the big U turn, just configure an entry in the hosts table that says for

http://www.yahoo.com

go to 10.10.10.10, that way the hosts will contact the server directly without having to resolve the URL to a public IP address through DNS......

Hope that makes sense.... Erik Rudnick, CCIE No. 9545
mailto:erik@kuriosity.com

 

[mmorgensen]

yep thats what I currently do on my primary server. Problem is when other connect, I have to create the dang file for them too.

currently we are running two dns servers to solve the problem, one for outside people and one for inside people.

I wish there were a better way! I tried all this on a linksys router (59 bucks) and it worked perfectly! It will be pretty sad if the cisco can not do this, and a device under $100 can.

thanks again for you help!

mm

 

[marsd]

Use a forwarder , end of problem.

 

[mmorgensen]

are you talking cisco terms or dns? If cisco whats a forwarder and how do i set one up?

 

[marsd]

Dns..
Foer instance my home network uses a dns server for two
internal zones and I originally tried to use the client resolvers as the ccie recommended, not with a huge hosts
file, which is antiquated, but by ordering the order of queries in /etc/resolv.conf.
This proved to be a little problematic, especially with
mail. I would get a "host found, but no record of requested type", which was a pain.
The easiest solution for me was to specify a forwarder:

# The forwarders record contains a list of servers to
# which queries should be forwarded. Enable this line and
# modify the IP-address to your provider's name server.
# Up to three servers may be listed.

forwarders { isp nameserver; };

voila, no more problems.

 

[mmorgensen]

gotcha. I already have the internal dns server set up with a forwarder. My overall goal was to maintain only one dns server.

if anyone has any other suggestions for the router it is appreciated.

mm