Patmetoo
@optonline.net
| How do you port forward locally?
I have IOS doing a basic PAT overload and it works great. But I have an issue with seeing my local servers because it resolves to the external IP and it doesn't route.
Example, my local network is 192.168.1.0
Web server 192.168.1.5
Computer 192.168.1.100
External IP 24.25.20.10
I have an internal static nat that maps port 88 to the internal webserver.
ip nat inside source static tcp 192.168.1.5 88 interface Ethernet0 88
When I look from my local PC (192.168.1.100) to www.mywebsite.com:88 (resolves to 24.25.20.10) it doesn't route to 192.168.1.5. External people entering the Cisco box works fine, but not internally. How do I configure it so that the IOS also routes internal users? So when my packet goes to the IOS, it knows to route that like I was an external user. My old linksys box used to figure this out fine. |
|
aryoba
Premium,MVM
join:2002-08-22 | Check out this forum FAQ for some descriptions.
»Cisco Forum FAQ »NAT, PAT, Internet and Server Access: Introduction and Best Practise |
|
Patmetoo
@optonline.net
| reply to Patmetoo
Hmm... from the FAQ it reads that internal users should access the internal IP directly. That seems cumbersome because I can only see two ways around it. The first is to run a local DNS server. The second is to edit the local hosts file.
Is there another way in IOS to route certain IP and port ranges to another IP? So if IOS sees a request internally to a 24.25.20.10 888 address it repackages it and reroutes it to 192.168.1.5 888? |
|
tubbynet
Just a green in a sea of blue and red
Premium
join:2008-01-16
Mesa, AZ
 ·Sprint Mobile Broa..
 ·Cox HSI
 ·FrontierNet Intern..
| specifically, you are looking to perform DNS redirection using your router. while i have looked to find something like this, i haven't been able to successfully implement it.
with most of my internal stuff, i have just used a spare pc and put centOS on it. when using BIND with WebMin, the setup is cake and it allows you to redirect internally the way it should be done.
q. |
|
Patmetoo
@optonline.net | reply to Patmetoo
Thanks. Yeah, I'm probably too lazy to maintain another DNS server. I will probably use the hosts file route. Pity cause it was never a problem with my Linksys router. |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Budd Lake, NJ
| reply to Patmetoo
What your linksys and likely everything else out there does is sometimes known as "nat reflection". The firewall/router just creates a rule that matches requests from inside to it's own outside IP+port as something of an exception.
Judging from the responses here, this is not a standard Cisco NAT feature. However I would imagine there must be some trickery that can accomplish the same thing. Policy routing perhaps?
In short, a rule matching traffic from 192.168.1.0/24 and destined to 24.25.20.10 seems feasible. After that, I'm lost. I'd put money on policy routing being able to do this though. I just don't know jack about it other than very simple route overrides. |
|
mr_dirt
join:2006-02-14
Denver, CO
| reply to Patmetoo
I'm nearly positive that this has come up before, but NAT applies fixup on DNS replies such that internal hosts end up receiving the translated inside addresses in DNS queries for a given host, if IOS NAT carries a static translation for said host. The only doc that says anything about this is »www.cisco.com/en/US/technologies···2b9.html. It sucks that there are no other docs that describe the particulars, but I don't suppose that there are particulars to describe; it just works.
Edited to add: I posted this very same link in an earlier thread that asked the same question some time ago:
»[Config] NAT static |
|
Patmetoo
@optonline.net
| i tried searching for it too first but I must have used the wrong terms. So I did some digging into the DNS and it's half a solution. Maybe someone knows how to improve this.
In this Cisco doc »www.cisco.com/en/US/tech/tk648/t···3b.shtml it states that any dns entries entered as a outside source will be remapped.
So I tried this and it worked. If I do a dns lookup for www.mywebsite.com it resolves as 192.168.1.5
ip nat outside source static 24.25.20.10 192.168.1.5
The cavaet I found was that there's no provisions for multiple IPs in the port ranges. So if you had a web server running on 80 and a different mail server on 25, the IOS cannot choose between both. That's because when a DNS query goes out it doesn't know which port the destination is going to.
So even with the DNS rewrite it's half a solution. I tried searching under NAT reflection but didn't come up with anything for IOS. Bummer but at least I learned a new term! |
|
Patmetoo
@optonline.net
| Hmm looks like the 'ip nat outside source' statement will rewrite the DNS but it also makes my webserver inaccessible from the outside. So that's no good. I wonder if my syntax was incorrect.. been trying to understand when the ip nat outside source statement can be used. |
|
