NAT and internal hosts reaching external address that is translated

[fthomas1973]

We are currently using NAT and is working fine for external (Internet) users to access a static map to a webserver we have made
ip nat inside source static 10.10.10.4 206.124.153.228

However when internal users behind the NAT (and a PIX firewall) try to access the webserver it times outs. Essentially they are resolving the public address 206.124.153.228 and looping back in. However I am suspecting that the static may be confusing it... We currently setup a DNS entry for the internal DNS server to point to the webserver's internal address. Is this the only way it will work?

Here is a quick run down of how we are utilizing the NAT. We are using route maps (properly I believe) to have everyone go out one interface primarily and switch to the NAT on lower bandwidth interface in case of failure.
ip nat inside source route-map nat-cland interface Serial0/1 overload
ip nat inside source route-map nat-sprint interface Serial0/0 overload

route-map nat-cland permit 10
match ip address 13
match interface Serial0/1
!
route-map nat-sprint permit 10
match ip address 13
match interface Serial0/0

Serial 0/1 and 0/0 have the ip nat outside statements and FE1/0 has the ip nat inside and the internal network of ip address 10.10.10.1 255.255.255.248

Thanks
Frank

 

[jeter]

I see what you are trying to do and also see the issue however I would have to test this in the lab. Jeter@LasVegas.com
J.Fisher CCNA

 

[fthomas1973]

yep, it's a kinda weird situation...
I am not familiar enough with NAT and Cisco routers to remedy it. It would be great if you do figure something out..

Thanks!
Frank

 

[wybnormal]

as far as I know... you have the solutions. This is what I ended up doing on my net and I just set up a net using ISA Server and had the same problem. Again, an internal DNS entery *fixed* the problem.. which does make sense.

The first DNS server used is the internal.. or should be in a good design. You need all local address/names here.. also you should keep high requested domains like cnn.com, ebay.com, espn.com etc ;-) This will speed up folks access to various pages since it's resolved at the first tier. If the internal DNS does not have the address/name.. it either hands it off to the next authortive DNS server or sends back a error code to the workstation/server which then tries the next DNS server in the list.. assuming there is more then one.

Now the workstation has the IP and Name.. it's going to start talking to the router. I want to talk to this IP. This is where I get fuzzy.. The router will get the request and then what? he can send to the next hop if there is a route to it OR does the router know there is a NAT entry that takes that IP and map it back? Normally a router will look at the packet and decide if it knows if there is a direct connection(does nat count ?), a route or a force next hop(0.0.0.0 0.0.0.0 next hop).

I've not hit it this hard to figure it out.. so if someone else has the details or sets up the lab.. please share the results.

MikeS
Find me at

http://www.packetattack.com

"The trouble with giving up civil rights is that you never get them back"

 

[4mo]

The PIX Alias command should help you.

Here is a link to explain.

http://www.cisco.com/warp/public/110/alias.html

Hope this helps.

Regards,
Matt