Unable to access internal servers using public IP

[dunninth]

We have several servers that can be accessed from the internet using our public IP address. When we try to access it from inside our Cisco 1811 using the public IP there is no response.

What do I need to do to allow use of the public IP from inside?

Thanks in advance

 

[North323]

maybe some NAT's maybe some acl's? post a config

 

[dunninth]

Best example is that we use

http://mail.ourdomain.com

to get to our Exchange server. Works perfect from anywhere on the internet. Inside our network it just times out.

Here is the config with sensitive info x'd out:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1800
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $1$vJzs$nO74jvnZhpp4PXDESr.RM1
!
aaa new-model
!
!
aaa authentication login vpnclient group radius local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network authorize_vpn_list local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
ip domain name xxxxx.com
ip name-server xxx.xxx.0.9
ip name-server xxx.xxx.0.10
!
!
crypto pki trustpoint TP-self-signed-649839349
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-649839349
revocation-check none
rsakeypair TP-self-signed-649839349
!
!
crypto pki certificate chain TP-self-signed-649839349
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36343938 33393334 39301E17 0D303930 31323531 33333633
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3634 39383339
33343930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
CD4B56D9 EBAAAF94 5962063A A56C2CC9 F1E12F9D DEE2D156 5F10F2DB 267AF5BF
35025518 EB65069C CD3DE155 A852E547 62D50EC6 6A34AEB9 B9F310B9 EC74F16D
E8AEBD81 51BF0972 E2EDDF41 221DED80 05C98496 056AE8DA 9D491B17 A18B0144
B979D21E 05AF46CF 42EEEB70 5E8CF540 1CDF1EC3 BA20D10B 683A7B5D F5139F01
02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
11041A30 18821643 6973636F 31383030 2E526569 6C6C7977 772E636F 6D301F06
03551D23 04183016 8014A9CA 3D658F86 A0141F5E 7335B5F1 29C1336B 605E301D
0603551D 0E041604 14A9CA3D 658F86A0 141F5E73 35B5F129 C1336B60 5E300D06
092A8648 86F70D01 01040500 03818100 4AB46FB1 9FF6F247 734B01A5 FE5A5D45
1B5071A7 A989E276 1C4C7BA3 0302FD25 819802E0 AC7424AA 566C96FD EFB5CE3E
E0B03786 C9F0FAC2 6E8CB759 24BA1577 96CA5BA0 FD40520E A378D1D3 3FB76043
53D4C5DA E36ED4A3 50959188 68D4389C 3D7CFEC2 DFEE602A CEBDE3F7 39F8C9D8
6E599FCF 0C0DE2BE 4563EA96 9ADE6FCD
quit
username xxxxx privilege 15 secret 5 $1$z41X$1Ap1Bv/lmXbE6GxvkQfmN.
username xxxxx privilege 15 secret 5 $1$w4Wt$qfn3ez23WL8iGuBjL8rjw/
username xxxxx secret 5 $1$u.TE$BNlmq19uEHbnlgbJD0shG1
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 20 3
!
crypto isakmp client configuration group rww_vpn_group
key rwwvpn
dns 192.168.5.12
domain xxxxx.com
pool VPN_pool
acl 100
firewall are-u-there
include-local-lan
max-logins 9
crypto isakmp profile sdm-ike-profile-1
match identity group rww_vpn_group
client authentication list vpnclient
isakmp authorization list authorize_vpn_list
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set rww_transform_set esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map VPN_dynamic_map 10
set transform-set rww_transform_set
!
!
crypto map VPN_static_map client authentication list vpnclient
crypto map VPN_static_map isakmp authorization list authorize_vpn_list
crypto map VPN_static_map client configuration address respond
crypto map VPN_static_map 1000 ipsec-isakmp dynamic VPN_dynamic_map
!
!
!
!
interface FastEthernet0
description $ETH-LAN$
ip address xxx.xxx.144.115 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip local pool VPN_pool 192.168.5.30 192.168.5.39
ip route 0.0.0.0 0.0.0.0 xxx.xxx.144.113
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http secure-port 60000
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool NAS_Pool 192.168.5.249 192.168.5.249 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.5.82 80 xx.xx.144.114 80 extendable
ip nat inside source static tcp 192.168.5.251 25 xx.xx.144.115 25 extendable
ip nat inside source static tcp 192.168.5.251 80 xx.xx.144.115 80 extendable
ip nat inside source static tcp 192.168.5.251 110 xx.xx.144.115 110 extendable
ip nat inside source static tcp 192.168.5.251 143 xx.xx.144.115 143 extendable
ip nat inside source static tcp 192.168.5.251 443 xx.xx.144.115 443 extendable
ip nat inside source static tcp 192.168.5.251 587 xx.xx.144.115 587 extendable
ip nat inside source static tcp 192.168.5.251 993 xx.xx.144.115 993 extendable
ip nat inside source static tcp 192.168.5.253 50000 xx.xx.144.115 50000 extendable
ip nat inside source static tcp 192.168.5.252 50001 xx.xx.144.115 50001 extendable
ip nat inside source static tcp 192.168.5.241 80 xx.xx.144.115 50002 extendable
ip nat inside source static tcp 192.168.5.240 80 xx.xx.144.115 50003 extendable
ip nat inside source static tcp 192.168.5.5 51020 xx.xx.144.115 51020 extendable
ip nat inside destination list NAS_Dest_List pool NAS_Pool
!
ip access-list extended NAS_Dest_List
permit tcp any any range 33000 45000
ip access-list extended sdm_vlan1_out
remark SDM_ACL Category=1
permit ip any any
ip access-list extended splitremote
remark SDM_ACL Category=16
permit ip 192.168.5.0 0.0.0.255 any
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
no cdp run
!
!
!
!
!
radius-server host 192.168.5.12 auth-port 1645 acct-port 1646 key CiscoRadius
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to

http://www.cisco.com/go/sdm

-----------------------------------------------------------------------
^C
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

 

[burtsbees]

That cannot be done---that is not how NAT works---once the outside gets translated to the inside ip address, you cannot retranslate it to the outside global ip address. You will have to reach those servers via the private ip address.

Burt

 

[unclerico]

if you were to add a static NAT entry like this:

ip nat inside static <private_ip> <public_ip>

then dns rewriting should happen and you should be able to access it from inside via the public fqdn. your other option is to use split-brain DNS. what kind of firewall are you using??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

I thought that initially too, uncle, and tried it with my own FTP server, and it did not work...

Burt

 

[PeterHurst]

In my experience this depends on the router and the IOS. I upgraded some 857's a few years ago which had been fine with this and the NAT "tromboning" stopped working and no amount of persuasion appeared to work.

In theory as long as the public IP's have a static NAT it *should* work - but having looked at debugs it seems the NAT process goes astray somewhere doing the double translation.

If there is a config which fixes it I'd love to know too!

I notice that cheaper routers (Draytek, Netgear, Zxyel) work fine as do PIX and Checkpoint..

 

[unclerico]

Ok, I was finally able to be home long enough to lab this up. Take a look at the attached topology (don't be lazy look at it ). Here is the relevant config for the router on the right:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3640
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
interface FastEthernet0/0
 ip address 192.168.10.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/0
 no ip address
!
interface Serial1/1
 no ip address
!
interface Serial1/2
 no ip address
!
interface Serial1/3
 ip address 12.12.12.9 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 clock rate 128000
 no dce-terminal-timing-enable
!
interface Serial1/4
 no ip address
!
interface Serial1/5
 no ip address
!
interface Serial1/6
 no ip address
!
interface Serial1/7
 no ip address
!
ip http server
no ip http secure-server
ip route 12.12.12.0 255.255.255.248 12.12.12.14
!
!
ip nat pool NAT_POOL 12.12.12.9 12.12.12.9 netmask 255.255.255.248
ip nat inside source list NATTED_ADDYS pool NAT_POOL overload
ip nat inside source static 192.168.10.200 12.12.12.10 extendable
!
!
ip access-list extended NATTED_ADDYS
 permit ip 192.168.10.0 0.0.0.255 any
!
!
!
control-plane
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login

The DNS Server on the left is hosting a zone fubar.com and it has a single host record of

http://www pointing

to 12.12.12.10. From the 192.168.10.6 host I point my browser to

http://www.fubar.com

and the router re-writes the dns reply to 192.168.10.100. So it does re-write like it is supposed to. The router (3640) is running 12.4(7a).

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)