Routing issue with NAT

growse · 2 Jul 2008 at 22:21

I've got an issue with my route (Cisco 837) and getting at the external ips from inside the nat.

I've got a block of 5 usable public ips, and ports from these are natted to various internal ips in the 192.168.0.0/24 network. I have dns names set up which map to those external ips, so I can access the servers from the internet. However, if I'm inside the private network, I can't connect to the public ip and port. I can access it on the relavent private ip, but the public ip doesn't route there for some reason.

For example, if I forward port 80 on public ip 88.96.111.10 to 192.168.0.4 port 80, then I can't connect to 88.96.111.10 port 80 from inside the private network.

I'm guessing it's a nat issue, as I can use ipv6, which isn't natted, to access the servers. But then there isn't the concept of a "public" and "private" ip for that. Anyone know what I can do to enable this?

atomiser · 2 Jul 2008 at 22:34

i'm trying to understand what your trying to achieve by going out and back in again?

can you post a sanitised 'show run' from the router?

tolien · 2 Jul 2008 at 23:18

You need NAT loopback, but the easiest answer is probably just to map the name to internal IPs within the network.

growse · 3 Jul 2008 at 10:53

atomiser said:
i'm trying to understand what your trying to achieve by going out and back in again?

can you post a sanitised 'show run' from the router?

I'm trying to achieve the scenario where I have a bunch of DNS names that are pointing at public IP addresses that are also usable from inside the private network. Can't get at the router config at work, so might post tonight.

I'll look up NAT loopback, but I sense it might just be easier to set up my own internal DNS.

atomiser · 3 Jul 2008 at 11:24

if your a small environment and you dont already have an internal dns, and you only have a small number of clients and/or entries, then you could just populate the hosts file with the internal addresses. when a client is inside they will go via the inside local address, and when they are outside they will go to in the inside global address.

Tui · 3 Jul 2008 at 18:53

Cisco's NAT supports DNS queries. It's referred to as DNS doctoring with the security appliances. But there is some requirements.

1. First, you need to be using NAT

2. The DNS query and response must pass through the interfaces configured for NAT. This means for inside machines, the DNS server must be on the outside.
3. Responses for A and PTR records will be modified for static maps using addresses only. It won't work if you also have ports configured.

oddjob62 · 3 Jul 2008 at 19:13

Split DNS would probalby fix your issue.

R4z0r · 4 Jul 2008 at 12:21

I think there's a "dns" (Or something simmilar) keyword you need in the NAT statements. Also, not 100% sure you can do it when forwarding just certain ports, you may need to do 1:1 NAT.

Also, just to explain a little more. This won't allow you to connect to the public IP from inside, all it will do is when you do a DNS query internaly that resolves to that IP, the router will doctor it and put in the corresponding private IP.