Cisco Router - Allow internal clients to access an internal server through an external IP

I have an internal web server that has an external IP address assigned via a Cisco Router with a ip nat command:
ip nat inside source static tcp 10.1.1.10 443 [External IP] 443 extendable

connections from the outside is perfect and running - but internal clients can't connect via the external IP
we get a "refused to connect" message

the goal is to have internal clients access the server from the external IP

any help is appreciated, thank you
AMtekAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AMtekAuthor Commented:
After quite a bit of research, this may be related to loopback support, u-turn nat, or even hairpinning. Then I stumbled on NVI.

If i'm not mistaken, this involves removing the 'ip nat inside/outside' commands on the internal/external interfaces and adding 'ip nat enable'.

then rewriting the NAT rules. This would consist of removing the 'inside/outside' of the nat commands including the one i have above. so for example the new command would be:
ip nat source static tcp 10.1.1.10 443 [External IP] 443 extendable

this would include the overload to allow internal clients internet access with nat translation.
example:

current config:
ip nat inside source list 120 interface fastethernet 0/0 overload

access-list 120 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 120 permit ip 10.1.1.0 0.0.0.255 any

adjusted config:
ip nat source list 120 interface fastethernet 0/0 overload

access-list 120 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 120 deny ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255
access-list 120 permit ip 10.1.1.0 0.0.0.255 any

the deny statements are for routers at branch offices with a direct WAN connection
i would assume that the routers in the other branch offices would need to be configured the same (NVI)?

i believe i would also have to clear the ip nat translation table with the command:
clear ip nat translation

and then add a command to both interfaces:
no ip redirects

Is this correct or am i way off? can anyone help verify or point me in the right direction?
thanks
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JustInCaseCommented:
It is correct.  One of the reasons for NVI interface is hairpinning.

interface x
no ip nat outside
ip nat enable
!
interface y
no ip nat inside
ip nat enable
!
no ip nat inside source list 120 interface fastethernet 0/0 overload
ip nat source list 120 interface fastethernet 0/0 overload

Configuration changes are needed only for device that will actually perform hairpinning.
0
AMtekAuthor Commented:
thanks
0
AMtekAuthor Commented:
The solution worked. Would prefer internal DNS and keep the load off of the router but under the circumstances this solution provided the end user with their desired results.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.