Cannot access public IP from internal network

Client wants to use the public IP assigned to a SQL DB so they don't have to change it when their sales staff goes on and off site. I recommended working around this by using DNS but they are out of host records from their DNS provider.

I'm able to ping the public IP from the internal network. But using a browser it times out. Using the internal IP it works fine. Internal IP is 172.16.5.25 public IP is 66.x.x.27.

ip nat inside source static tcp 172.16.5.25 80 66.x.x.27 80 extendable
interface GigabitEthernet0/0
 description DATA network
 ip address 172.16.5.1 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description PHONE network
 ip address 172.16.10.1 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/1/0
 no ip address
 encapsulation frame-relay IETF
 no ip mroute-cache
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial0/1/0.1 point-to-point
 no ip mroute-cache
 frame-relay interface-dlci 16 ppp Virtual-Template1
!
interface Virtual-PPP1
 no ip address
!
interface Virtual-Template1
 description T1 outside
 ip address 66.x.x.26 255.255.255.248
 ip access-group 103 in
 ip verify unicast reverse-path
 ip nat outside
 ip inspect TELNET in
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 ppp chap hostname xxx
 ppp chap password 7 xxx
 crypto map VPN
!
interface Virtual-TokenRing1
 no ip address
 ring-speed 16
!
ip local pool vpnpool 172.16.40.100 172.16.40.254
ip classless
ip route 0.0.0.0 0.0.0.0 66.x.x.25
!
ip dns server
ip flow-export version 5
ip flow-export destination 172.16.5.4 9996
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Virtual-Template1 overload
ip nat inside source static tcp 172.16.5.1 23 66.x.x.26 23 extendable
ip nat inside source static tcp 172.16.5.80 80 66.x.x.26 80 extendable
ip nat inside source static tcp 172.16.5.80 9090 66.x.x.26 9090 extendable
ip nat inside source static tcp 172.16.5.80 9192 66.x.x.26 9192 extendable
ip nat inside source static tcp 172.16.5.25 80 66.x.x.27 80 extendable
ip nat inside source static tcp 172.16.5.81 80 66.x.x.28 80 extendable
ip nat inside source static tcp 172.16.5.81 9090 66.x.x.28 9090 extendable
ip nat inside source static tcp 172.16.5.81 9192 66.x.x.28 9192 extendable
ip nat inside source static tcp 172.16.5.5 80 66.x.x.29 80 extendable
ip nat inside source static tcp 172.16.5.82 80 66.x.x.30 80 extendable
ip nat inside source static tcp 172.16.5.82 9090 66.x.x.30 9090 extendable
ip nat inside source static tcp 172.16.5.82 9192 66.x.x.30 9192 extendable
!
access-list 10 permit 172.16.0.0 0.0.255.255
access-list 101 remark ACL for ShoreTel VoIP
access-list 101 deny   ip 172.16.10.0 0.0.0.255 any
access-list 101 deny   ip 66.x.x.24 0.0.0.7 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark ACL for network traffic
access-list 102 deny   ip 172.16.5.0 0.0.0.255 any
access-list 102 deny   ip 66.x.x.24 0.0.0.7 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark Traffic allowed over Virtual Template1 T1
access-list 103 permit ahp host 208.x.x.171 host 66.x.x.26
access-list 103 permit esp host 208.x.x.171 host 66.x.x.26
access-list 103 permit udp host 208.x.x.171 host 66.x.x.26 eq isakmp
access-list 103 permit udp host 208.x.x.171 host 66.x.x.26 eq non500-isakmp
access-list 103 permit ip 172.16.5.0 0.0.0.255 66.167.224.0 0.0.0.255
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 103 deny   ip 172.16.5.0 0.0.0.255 any
access-list 103 deny   ip 172.16.10.0 0.0.0.255 any
access-list 103 permit icmp any host 66.x.x.26 echo-reply
access-list 103 permit icmp any host 66.x.x.26 time-exceeded
access-list 103 permit icmp any host 66.x.x.26 unreachable
access-list 103 permit udp any any eq domain
access-list 103 permit udp any eq domain any
access-list 103 permit tcp any any eq 4445
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 5800
access-list 103 permit tcp any any eq 5900
access-list 103 permit tcp any any eq 9090
access-list 103 permit tcp any any eq 9192
access-list 103 permit tcp any any eq telnet
access-list 103 permit udp any any eq 5004
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit gre any any
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 110 remark Tunnel 
access-list 110 permit ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 140 remark VPN clients
access-list 140 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 140 permit ip 172.16.10.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 140 permit ip 172.16.5.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 199 deny   ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 199 deny   ip 172.16.0.0 0.0.255.255 172.16.40.0 0.0.0.255
access-list 199 permit ip any any
!
route-map nonat permit 10
 match ip address 199

Open in new window

andersenksAsked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
For all intents and purposes, it is not possible with Cisco IOS. Yes, a $50 linksys router will do it, but based on the order of processing between routing, source nat and destination nat, the end result is that both the source and destination are on the same network and IOS cannot deal with that.
The BEST solution is to use DNS with public servers resolving to public IP and internal server resolving to internal IP. If their DNS hosting only provides for 5 host names, it is time to get a new dns hosting. Much less trouble than trying to put a round peg through a square hole on the router.
0
 
B HConnect With a Mentor Commented:
their dns provider won't let them make any new host records?  that's pretty odd - are there no hostnames pointing to this outside ip address at all?

if there is, all you have to do is tell the workstations to use that hostname, and make sure internal dns resolves to the internal ip address of it... outside already does
0
 
andersenksAuthor Commented:
The other problem is the DNS provider also hosts their e-mail. They aren't ready to migrate their e-mail off to another provider yet. Anyone know of a way to get this to work?
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
B HCommented:
is there no public hostnames pointing to the machine the sql database is on?  none at all?
0
 
B HCommented:
you could host your dns records at any $5 host, and keep your mail on the current host... just set up your new host records MX and A (and www, etc) to point to the same ip addresses they do right now - there's no technical reason to have the dns host and the mail host the same company.
0
 
JeffSchaperCommented:
what about using the hosts file on the workstations. C:/windows/system32/drivers/etc/hosts
xxx.xxx.xxx.xxx hostname
add both entries here
0
 
andersenksAuthor Commented:
I talked them into deleteing one of their DNS entries from their hosting provider and configured internal and extenal names to match.

Thanks guys
0
 
andersenksAuthor Commented:
Thanks guys!
0
All Courses

From novice to tech pro — start learning today.