Search this Blog

Tuesday, June 26, 2012

Reaching an IP inside global from the inside network

Is it possible to reach an IP Inside global address from the inside network (or LAN) on a cisco router when doing NAT?

The case is the following:

A client who doesn't have a DMZ told me he was having issues with his web application only from his LAN, meaning outside the LAN on the internet the application runs fine, the issue is the public IP Address is referenced on many links in the web application and when people is using the application from the LAN they cannot reach the public IP address because this is being nat-ed...

when packets to the public address reach the router inside interface i guess it is routing them instead of realizing that the public address is being statically nat-ed...

The configs are as follows:
interface FastEthernet4
desc WAN
ip address
ip nat outside
interface Vlan1
description LAN
ip address
ip nat inside
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static
It has to some workaround to make this works...Again the problem is: clients in the LAN cannot reach statically nat-ed address defined as inside global, so the clients cannot reach the local web server using the public nat-ed address of the webserver.

You can use the NAT virtual interface by using the ip nat enable command on the interfaces and removing the ip nat outside/inside commands.

You also need to change your NAT statement from:

ip nat inside source list


ip source list ......

I have seen many weird things using the NVI interface. It seems buggy with IOS and I feel it may depend on your router and or version of IOS. Currently I have everything configured but my NAT statement doesn't keep the overload portion of the command in the running config even though I entered it.

If you decide to go this route you can confirm you are using the NVI interface by using the command:

Show ip nat nvi translations

If you see entries here things are working correctly. You shouldnt see new entries under:

Show ip nat translations

I would like to work with you and anyone else on here to solve this problem. It sounds like many are still trying to find work arounds to browse to the inside global address to contact their internal server.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */