How do I allow requests from my private network to come through my plublic address

Arthur_Mino
Arthur_Mino used Ask the Experts™
on
G'day,

I hope someone can help me.

I have a private network: 192.168.1/24
I have a single public static IP address from my ADSL ISP.
I have a server which hosts a DNS with a private address 192.168.1.10 in my private network.
I have created a NAT 1:1 to my private server 192.168.1.10 to my public IP.

The requests from the internet work fine, my DNS resolve to my public IP address fine.

BUT

Requests from my private network 192.168.1/24 point to my public IP address which my router  does not to put them through to my server.

I know this can be done from the router without having to change host files or dns settings.

I'm sure it has something to do with my nat 1:1 on a stick.



Any assistance apreciated.

Cheers,

Arthur.


!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname tom
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$zAz8$tYsE9wPlhI1
!
no aaa new-model
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
!
!
crypto pki trustpoint TP-self-signed-823780784
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-823780784
 revocation-check none
 rsakeypair TP-self-signed-823780784
!
!
crypto pki certificate chain TP-self-signed-823780784
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3832 33373830
  37383430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  B89B51BD 
        quit
no ip source-route
ip cef
!
!
no ip bootp server
no ip domain lookup
ip domain name tom.com
!
!
!
username admin privilege 15 secret 5 $1elk$rfhj##$%%Ukm/
archive
 log config
  hidekeys
!
!
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no snmp trap link-status
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname ppoe@isp.com
 ppp chap password 7 104F0D34534kj3435kmo4uhiu3
 ppp pap sent-username pppoe@isp.com password 7 0D5200
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static 192.168.1.10 59.167.231.151
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
 
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 speed 115200
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
 
!
webvpn cef
end

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jody LemoineNetwork Architect

Commented:
Actually it has to do with the way Cisco routers handle NAT in general.  They will handle translation of addresses for traffic moving from an inside interface to an outside interface or vice-versa, but will not act on traffic going from inside to inside or outside to outside.  So, when your client attempts to access the external IP from internal, it doesn't get translated.  What you're trying to accomplish is called "hairpin NAT" where addresses are translated even though they enter and exit on an inside interface.  Cisco IOS just doesn't support this, though there are some advanced approaches involving virtual routing and forwarding instances that may be able to get around it.  Standard practice is to use internal IP addresses on the internal network and external addresses on the external network.

Author

Commented:
G'day Jodylemoine.

Thanks for your info, not sure about "Cisco IOS just doesn't support this" I have two clients networks with CISCO 800's which are currently doing this. The problem is that the routers are managed by their ISP and I can't see the config file.  And I can connect to all the services from the private server through the public IP address.

I guess I'll have to console in to the router and try see the config file.

If any one else has info please assist!

Cheers,

Arthur
Jody LemoineNetwork Architect

Commented:
If you manage to console into the routers and get the configuration, I would be most interested in seeing how it is accomplished in this case.  It's a problem that I and a number of colleagues have been working on.  The official word from Cisco TAC is that is doesn't work that way.

That said, I *have* seen a configuration that involves some very interesting uses of the Virtual Routing and Forwarding (VRF) technology in the router to accomplish this.  I'm still trying to wrap my head around the packet flow before recommending it to anyone though.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
I have found what jodylemoine has stated to be true. Typically the best way to get around this is through your own local dns settings, and making sure you point to local address rather then pushing it to your own public.

Author

Commented:
G'day guys,

Ok, here it is.

Let me know if you know how it's done.

Cheers,

Arthur
Router#show startup-config
Using 5031 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname FNN01
!
boot-start-marker
boot-end-marker
!
logging buffered 10000
no logging console
enable secret 5 $1$oFDiNrre4WHZ.
!
no aaa new-model
clock timezone EST 10
clock summer-time DEST recurring last Sun Oct 2:00 last Sun Mar 2:00
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
!
!
!
!
!
archive
log config
hidekeys
!
!
controller DSL 0
mode atm
line-term cpe
line-mode 2-wire line-zero
dsl-mode shdsl symmetric annex B
line-rate auto
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description Modem Management Network
pvc 1/32
ubr 128
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0.2 point-to-point
description VPN and RequestDataLink Network
shutdown
pvc 1/33
ubr 384
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface ATM0.3 point-to-point
description Internet Network
pvc 1/34
ubr 1536
encapsulation aal5mux ppp dialer
dialer pool-member 3
!
!
interface ATM0.4 point-to-point
description VoIP and PowerUser Network
shutdown
pvc 1/35
ubr 384
encapsulation aal5mux ppp dialer
dialer pool-member 4
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description FN29 LAN
ip address 192.168.1.1 255.255.255.0
ip access-group 110 in
ip access-group 120 out
ip nat inside
ip virtual-reassembly
!
interface Dialer1
description Modem Management Network
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname 0169A
ppp chap password 5 012131
!
interface Dialer2
description VPN and RequestDataLink Network
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer-group 1
ppp authentication chap callin
ppp chap hostname 016109B@
ppp chap password 5 073D207
!
interface Dialer3
description Internet Network
ip address negotiated
ip access-group 101 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 3
dialer-group 1
ppp authentication chap callin
ppp chap hostname 01629C@MA01
ppp chap password 5 05393E09
!
interface Dialer4
description VoIP and PowerUser Network
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 4
dialer-group 1
ppp authentication chap callin
ppp chap hostname 016C@DA01
ppp chap password 5 11F1C34
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer3
ip route 202.138.192.56 255.255.255.252 Dialer1
ip route 202.138.196.56 255.255.255.252 Dialer1
ip route 202.138.200.56 255.255.255.252 Dialer1
ip route 202.138.202.56 255.255.255.252 Dialer1
ip route 202.138.204.56 255.255.255.252 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list 11 interface Dialer3 overload
ip nat inside source static 192.168.1.50 203.111.177.242
!
access-list 11 remark *** Permit end customer address space for NAT
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 70 permit 10.254.254.1
access-list 70 permit 10.224.254.1
access-list 70 permit 10.204.254.1
access-list 70 permit 10.153.254.1
access-list 70 permit 202.138.194.10
access-list 70 remark *** Modem Management
access-list 70 permit 10.71.254.1
access-list 70 permit 202.138.192.56 0.0.0.3
access-list 70 permit 202.138.196.56 0.0.0.3
access-list 70 permit 202.138.200.56 0.0.0.3
access-list 70 permit 202.138.202.56 0.0.0.3
access-list 70 permit 202.138.204.56 0.0.0.3
access-list 70 permit 172.31.241.0 0.0.0.15
access-list 70 permit 172.31.242.0 0.0.0.15
access-list 70 permit 172.31.243.0 0.0.0.15
access-list 70 permit 172.31.244.0 0.0.0.15
access-list 70 permit 172.31.245.0 0.0.0.15
access-list 101 remark Deny private RFC reserved IP addresses.
access-list 101 deny   ip any 10.0.0.0 0.255.255.255
access-list 101 deny   ip any 127.0.0.0 0.255.255.255
access-list 101 deny   ip any 172.16.0.0 0.15.255.255
access-list 101 deny   ip any 192.168.0.0 0.0.255.255
access-list 101 permit ip any any
access-list 110 remark Ethernet Inbound
access-list 110 permit ip any any
access-list 120 remark Ethernet Outbound
access-list 120 permit ip any any
dialer-list 1 protocol ip permit
snmp-server community rdsltrapcomm RO 80
snmp-server community DATCread RO
snmp-server community rdslwritecomm RW 70
snmp-server chassis-id FNN01610970829
snmp-server host 202.138.192.57 rdsltrapcomm
!
!
!
control-plane
!
!
line con 0
exec-timeout 2 0
password 5 095E5B
login
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 2 0
password 5 03165601E
login
!
scheduler max-task-time 5000
end

Open in new window

Jody LemoineNetwork Architect

Commented:
The only explanation I can think of for this working is that the traffic is leaving via the Dialer3 interface and coming in on the external IP address on another interface, which is very different from attempting to hairpin on a router with only a single outside IP.  Can you do a "show ip interface brief" on this router and let me know which interface has 203.111.177.242 assigned to it?

Author

Commented:
G'day Jodylemoine,

Thank you for your reply,

203.111.177.242 was the single static public IP address allocated.

I was reading up on the hairpin nat, it it seems to be for individual ports, I have a Nat 1:1 or Nat on a stick.

Some sites reckon it should work automatically if I have a 1to1 Nat.

Cheers,

Arthur
Jody LemoineNetwork Architect

Commented:
Hey Arthur:

Nat on a stick is a bit different from what you have.  Nat on a stick is where you have a router providing NAT through a single interface for both inside and outside traffic and is pretty rare.  Documentation is below if you're interested:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml

In any case, it may well be that 1:1 NAT can do the trick.  In my experience, setting 1:1 NAT on a router with only a single external IP address will disable all external communication for all devices except the internal IP that the 1:1 NAT has been set up on.  That's why I'm wondering which interface the 203.111.177.242 is assigned to.  If it's one of the other dialer interfaces, this all makes sense.  If it's assigned to Dialer3, that's a different story.

Jody

Author

Commented:
G'day jodylemoine.

Thanks for that, I obviously miss understood the documentation when I first read it.

Not sure I understand what you say  "will disable all external communication for all devices except the internal IP that the 1:1 NAT has been set up on."

Is this a 1:1 Nat?
"ip nat inside source static 192.168.1.10 59.167.231.151"

I currently have a 1:1 Nat (public IP to a private IP)  to a server in  my private network, and I have a NAT for all my private network clients working fine, I just don't have that hairpin loop happening for internal requests.

I know on other gateways/routers they call this the DMZ, you assign your private IP address to be on the DMZ and it all works, and with the Cyberguards and Apple AirPort extremes they do the hairpin loop back in no problem.

There must be a way on the CISCO.

I'll still pulling a[art the config file see if I get any clues.

Cheers,

Arthur
Jody LemoineNetwork Architect

Commented:
I'll have to look into that 1:1 NAT thing as things have obviously changed since I tried it last.

What residential routers like to call a DMZ isn't a DMZ at all and is a major security risk if not handled properly.  A DMZ is a separate network with restrictions on traffic to/from both the Internet *and* the internal network.  What residential routers call a DMZ is just an unrestricted path to a machine on the internal network which, if compromised, gives an intruder access to the entire internal network.

The hairpin on residential routers works by performing NAT on internal traffic, which works at a performance penalty to the router.  This isn't usually an issue with residential-grade units as performance is seldom a concern.  Personally, I think it's something IOS should have as an option to be turned on or off as required, but I don't get to make the architectural decisions for IOS.  :)

I'm still looking into the VRF option for you though.

Jody

Author

Commented:
G'day Jody.

Thanks for that.

A DMZ to a single server is all I need, I have the server taking care of all the security for me. The only thing I need certain from the DMZ is that it goes to the one single IP...that's all.

CISCO talks about the hairpin here, but it talks about individual ports not a 1to1 NAT.
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-3/anatomy.html

Also, I found this guy with exactly the same problem I have.
http://episteme.arstechnica.com/eve/forums/a/tpc/f/469092836/m/942003506831?r=311005226831#311005226831

There must an option or something I'm sure.


Cheers,

Arthur


 
Network Architect
Commented:
Checking with Cisco TAC gets the response that hairpin NAT is not supported by IOS...  so there's no real option to turn it on.  The best we can do is come up with some sort of hack that makes it work.  Still working on that.

Author

Commented:
G'day Jody,

But the config file I pulled from the ISP's 870 was doing it. Are you saying it was only working because it may of been doing some big loop in the ISP's network and coming back?

Cheers,

Arthur

Author

Commented:
G'day Jody,


Here's another bloke with the same problem.

http://serverfault.com/questions/26845/unable-to-connect-on-natted-server-from-a-host-computer-on-the-same-lan-using-pub

They talk about using an alias here.

Cheers,

Arthur
Jody LemoineNetwork Architect

Commented:
The 870 you're referring to *may* have been doing it that way, but without knowing which interface 203.111.177.242 is assigned to on that unit, I can't hazard a guess.

The IOS "alias" command is just a method for creating shorthand versions of long commands and has nothing to do with NAT.  The "alias" command they're referring to is on the ASA platform, which *does* support hairpin NAT.

Author

Commented:
G'day Jody,

Check this article out

http://blog.internetworkexpert.com/category/ccie-routing-switching/ip-services/

Titeled: A Curious NAT Scenario

I think this is it.

Cheers,

Arthur
Jody LemoineNetwork Architect

Commented:
This would work very well if your outside NAT were any address other than the interface IP of the router.  Because we're dealing with the interface IP, the static routes will never engage because the router will correctly assume that it is the final destination of the packet.  Good research though.

Author

Commented:
Jody LemoineNetwork Architect

Commented:
I took a look.  That entry concludes that the best option is to bypass the problem by splitting DNS so that the internal IP addresses are resolved for internal DNS requests, which is the standard approach to this sort of thing.

Author

Commented:
G'day Jody,

Got a bit excited.

I think the terminology for what I need is "NAT LoopBack" feature.

Cheers,

Arthur

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial