Solved

how to enter static (inside,outside) command in cisco router?

Posted on 2011-02-22
9
870 Views
Last Modified: 2012-05-11
I have setup cisco router, no problem access internet and external users also able to access public service. However, when internal user try to access the website using external ip address it get blocked. Tested externally, no problem seeing the site. I found that I need to enter this command "static (inside,outside) 151.205.x.x 10.1.20.222 dns netmask 255.255.255.255"

But it seems I cannot enter this using cli.... how to do it?
0
Comment
Question by:okamon
  • 4
  • 3
  • 2
9 Comments
 
LVL 6

Expert Comment

by:wpharaon
ID: 34958072
For a cisco router,
The first step is to define the addresses that will need to do NAT, can be done using a standard access-list:

access-list 1 permit your_lan_address_range
example: access-list 1 permit 192.168.1.0

Now we should enable the actual NAT:
ip nat inside source list access-list number interface overload
example: ip nat inside source list 1 eth1 overload

This command states that it will use the addresses from the access-list we defined in step 1 and NAT it to the Public IP address on the interface, e.g. serial 0, dialer 0, ethernet 1,… overload keyword specifies that multiple LAN addresses can be NAT’d to that same address. The router uses the TCP and UDP ports of the hosts [LAN addresses] to translate the public IP address back to the originating local host address.

The last steps we need to configure is to tell the router which our inside and outside addresses. This is achieved using the following commands:
- for the inside
conf t
interface ethernet | fastethernet number
ip nat inside

- for the outside, assume we are dealing with an xDSL router
conf t
interface dialer0
ip nat outside

Now that NAT is configured we can check to see which addresses are being used by using the show ip nat translations commands.
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 34958222
what is it that you have? Cisco Router or Pix, the "static (inside,outside)" command is for a PIX or ASA and the configuration is much different for NAT statements.

Furthermore, your statement " the website using external ip address it get blocked. " is a typical issue that is encountered trying to access a internal server using the external IP. On cisco routers, this is overcomed by utilizing a concept if NAT Hairpin routing;  DNS doctoring which is the feature you are looking for is not supported on Cisco routers. However, that is the correct command for the PIX and ASA and in some version is handled by default if I recall.

If you are trying to add the command to an IOS router, it will fail:

WORKAROUND 1:
Instead of using the public IP address, try to access the server through the private IP address. It's the most simple way to solve this issue.

WORKAROUND 2:
Configure what is called NAT on a Stick in your router. This kind of special configuration "tricks" both the server and the LAN to believe they are talking with a completely different network, avoiding the issue related to the NAT. Keep in mind regarding this workaround is that this specific setup is not supported by Cisco.

http://ccietobe.blogspot.com/2009/01/nat-on-stick.html

PIX/ASA:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

Also note, that if you have already applied the command, it is important that you also need to enable DNS inspection to perform DNS doctoring (Read the last link, it has all the required information).

Good Luck
Billy
0
 

Author Comment

by:okamon
ID: 34958350
yes. my is cisco router and it's configured as a NAT, so people sharing one public ip... but I don't want to to use internal ip as the users are used to use external address for accessing the website. So are you saying the only way to do it is to use NAT on a Stick??
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 6

Expert Comment

by:wpharaon
ID: 34958365
no the configuration i entered for you earlier would work on your router
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 34958488
> So are you saying the only way to do it is to use NAT on a Stick??
correct; you will NOT be able to redirect a internal network from the inside to the outside back into the inside without a NAT hairpin route.

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-3/anatomy.html
Figure 10: Hairpin NAT Operation

Here is another thread with additional workarounds; i have only implemented the hairpin solution

http://www.gossamer-threads.com/lists/cisco/nsp/90968



Billy
0
 

Author Comment

by:okamon
ID: 34960610
Is it difficult to do for NAT hairpin route? I don't know much about cisco...... any tutorial?
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 350 total points
ID: 34963838
Simple solution:

Simple solution. Add the same hardcoded public IP as a secondary IP on the web server. Add a route to this public IP pointing to the private IP of the database server on the router:

ip route 151.205.x.x 255.255.255.255 10.1.20.222

For Outside users, the router will de-NAT Public IP to private and pass it onto the server. The fake-public-secondary-IP will not be visible to internet users, its internal only to the local LAN.

For inside users to reach the fake-secondary public IP, use the default gateway as the router. Inside users can use reach the web server either on the secondary-fake-public-ip or the primary-private ip…

If the users and web server share the same subnet, the return traffic from web server will be directly sent to the users as the web server will have a connected route for the user’s private IP. Ifthey are on different VLANs, the web server will route using default gateway as the router.


Billy
0
 

Author Comment

by:okamon
ID: 34970194
thanx rfc1180. it seems a simple solution. But let me confirm if this is correct:
my lans is 10.0.0.0 / 24
web server:10.0.0.20
webserver ip: 151.205.x.x

So I go to the config mode of the router, and type 151.205.x.x 255.255.255.255 10.0.0.20
and then in web server, I also put 151.205.x.x  in in tcp/ip setting and in host header value, I just leave it blank?


Above are correct?
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 34971484
Sounds good

Billy
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ISP Change 14 63
Palo Alto Networks - find the sec zone 3 64
Access Sonicwall Management Interface from another zone 5 20
Router Question 12 54
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question