IT Employment

General discussion


cisco NAT & route problems. weird. help?

By lov111 ·
new ISP and they required a live internal IP address for monitoring...

the prob is that when we try to get to our own website (from our LAN), using the live (external) ip, it wont work.

Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-D-M), Version 12.0(3)T3, RELEASE SOFTWARE (fc1)

replaced the live real ip addy's with and leave the xxx a real number.

ip subnet-zero
no ip domain-lookup
interface Ethernet0/0
description connected to EthernetLAN
ip address secondary
ip address a.b.c.65
ip access-group 100 in
no ip directed-broadcast
ip nat inside
no mop enabled
interface Serial0/0
description connected to Internet
ip address a.b2.c2.46 !*b2 & c2 are different than b & c
ip access-group 101 in
no ip directed-broadcast
ip nat outside
no ip mroute-cache
no fair-queue
router rip
version 2
passive-interface Serial0/0
no auto-summary
ip nat pool BRO a.b.c.66 a.b.c.94 netmask
ip nat inside source list 5 pool BRO overload
ip nat inside source static a.b.c.**
ip nat inside source static a.b.c.90
ip nat inside source static a.b.c.94
ip classless
ip route Serial0/0
no ip http server
access-list 5 permit
access-list 5 permit
access-list 5 permit
access-list 5 permit
access-list 100 permit ip any any

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -


by LordInfidel In reply to cisco NAT & route problem ...

remember the principle of NAT.

You are taking a pvt IP, sending it out to, converting to a public, going to a public which in turn is going back into NAT.

Seems simple right, but your cisco is keeping session state and can not get the request back to you because it can't route it back.

It's nothing you did, or did'nt do.

Try going to it via the PVT address. It will get there.

It's just becasue it knows that the request came from the inside and no hosts should be requesting services that are located inside. It is actually anti-spoofing basically.

No host located behind the router should send requests thru the router to get back behind the router.

Does this make sense?

Collapse -

yes, makes sense- but it USED to work ;p

by lov111 In reply to NAT

We really need this to work,
and it used to work

employees which have laptops and some specific IP settings, which do not have a public DNS entry

what do you suggest? training all the users to know when to switch to 172.x scemes, vs the public ips? ;p

i know it is possible
do you know how to make it happen?

Collapse -

Possible solution

by LordInfidel In reply to yes, makes sense- but it ...

If you have your own DNS server, and it is running linux with BIND 9.2.

You can set up dns "views". Basically you would create 2 tables for the same zone.

1 that external people can see, and 1 for internal use. It would like like this:

ACL's would be set up so that only your internal ip range can view the internal tables.

Then you can set your websites IP to the internal pvt IP.

I prefer this method, because if you do alot of testing and development of sites. You can add test entries into your internal tables without exposing it to the rest of the world.

And you can point your entire networks DNS to the internal server.

If you are using external DNS for pubblic resolution, you can still set up just an internal dns server which has the external one set up as the root hint.

Related Discussions

Related Forums