Inside to Inside NAT
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by Jonathan Wright on April 11, 2007, 5:08 pm
Please log in for more thread options getting anywhere, and everywhere I've looked on the Internet regarding this problem seams to tail off without resolve... Basically, I'm trying to access my internal web server using the global IP address assigned to Dialer0 on the router by my ISP. I have a DNS service external to the network which is provided this IP address and while I can use it externally (PAT from the Internet to the LAN is working fine), I can't get it to work when I'm on the network. In this case, internal replication of the DNS zone on the LAN is not really an option, and for the moment, I'm using a hosts file (but again, this isn't suitable, as some devices will need to access it both on and off the network). I'm just looking to get Inside-to-Inside NAT working so I can use the router to forward the request from the LAN to the server... Here's the main points of my config: interface Ethernet0 description to Network ip address 10.0.1.62 255.255.255.192 ip access-group from-network in no ip redirects no ip unreachables no ip proxy-arp ip nat inside no ip virtual-reassembly ip route-cache flow load-interval 30 ! interface ATM0 description to Zen Internet no ip address no ip redirects no ip unreachables no ip proxy-arp no atm ilmi-keepalive dsl operating-mode auto pvc 0/38 description BT ADSL Connection tx-ring-limit 3 encapsulation aal5mux ppp dialer dialer pool-member 1 ! interface Dialer0 ip address negotiated ip access-group from-internet in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect firewall out no ip virtual-reassembly encapsulation ppp ip route-cache flow load-interval 30 dialer pool 1 dialer-group 1 ! ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip nat inside source list nat interface Dialer0 overload ip nat inside source static tcp 10.0.1.61 80 interface Dialer0 80 ! ip access-list standard nat remark Define which systems will be NAT-translated permit 10.0.1.0 0.0.0.63 ! ip access-list extended from-internet remark ACL for incoming traffic from the Internet deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip host 255.255.255.255 any deny ip host 0.0.0.0 any permit icmp any any echo-reply permit icmp any any time-exceeded permit icmp any any unreachable permit igmp any any permit esp any any permit gre any any permit udp any eq ntp any eq ntp permit tcp any any eq www deny ip any any log ip access-list extended from-network remark ACL for incoming traffic to the router from the network deny ip host 255.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any permit ip any any ! dialer-list 1 protocol ip permit -- Jonathan Wright mail@djnauk.co.uk http://djnauk.co.uk cat /dev/random (you never know, you may see something you like!) 2.6.17-gentoo-r3-djnauk-b1 AMD Athlon(tm) XP 2100+ up 9 days, 23:47, 1 user, load average: 0.24, 0.41, 0.61 | |||||||||||||||||||
|
Posted by Thrill5 on April 13, 2007, 6:20 pm
Please log in for more thread options vice versa. By configuring interfaces as either "inside" or "outside" is how the router knows which packets to NAT. Scott | |||||||||||||||||||
|
Posted by Rod Dorman on April 16, 2007, 12:58 pm
Please log in for more thread options >You can't do inside to inside NAT. NAT is only done inside to outside and
>vice versa. By configuring interfaces as either "inside" or "outside" is >how the router knows which packets to NAT. It could be he's thinking that inside/outside interfaces are somehow related with private/public IP addresses. -- -- Rod -- rodd(at)polylogics(dot)com | |||||||||||||||||||
| Similar Threads | Posted |
| Configuring an inside nat group on inside interface | April 10, 2006, 4:38 pm |
| Cisco 837 - how to set up Inside to Inside NAT for DNS resolution? | May 23, 2006, 2:00 pm |
| PIX DMZ to the Inside. | February 10, 2005, 6:33 pm |
| DNS inside DMZ | September 30, 2005, 5:01 am |
| what does this mean ? (inside,outside) | October 2, 2006, 1:06 pm |
| PIX 7.0 ACL inside/outside help ! | December 22, 2006, 5:54 am |
| Inside to Inside NAT | April 11, 2007, 5:08 pm |
| help with pix inside->outside + dmz->outside + inside->outside->dmz | September 18, 2007, 9:57 pm |
| DNS inside the DMZ on an 877 | January 1, 2008, 3:25 am |
| NAT INSIDE | January 22, 2008, 7:50 pm |
| Ip NAT inside ... extendable. | September 6, 2005, 5:45 am |
| nat (inside) 0, global and VPN | September 22, 2005, 4:22 pm |
| PIX VPN to both DMZ and INSIDE segments | October 18, 2005, 2:29 pm |
| ip nat inside and outside at the same time. | November 8, 2005, 6:42 pm |
| NAT/PAT problem from inside | November 30, 2005, 7:10 pm |
> getting anywhere, and everywhere I've looked on the Internet regarding
> this problem seams to tail off without resolve...
>
> Basically, I'm trying to access my internal web server using the global IP
> address assigned to Dialer0 on the router by my ISP.
>
> I have a DNS service external to the network which is provided this IP
> address and while I can use it externally (PAT from the Internet to the
> LAN is working fine), I can't get it to work when I'm on the network.
>
> In this case, internal replication of the DNS zone on the LAN is not
> really an option, and for the moment, I'm using a hosts file (but again,
> this isn't suitable, as some devices will need to access it both on and
> off the network).
>
> I'm just looking to get Inside-to-Inside NAT working so I can use the
> router to forward the request from the LAN to the server...
>
> Here's the main points of my config:
>
> interface Ethernet0
> description to Network
> ip address 10.0.1.62 255.255.255.192
> ip access-group from-network in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
> no ip virtual-reassembly
> ip route-cache flow
> load-interval 30
> !
> interface ATM0
> description to Zen Internet
> no ip address
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> no atm ilmi-keepalive
> dsl operating-mode auto
> pvc 0/38
> description BT ADSL Connection
> tx-ring-limit 3
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> interface Dialer0
> ip address negotiated
> ip access-group from-internet in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat outside
> ip inspect firewall out
> no ip virtual-reassembly
> encapsulation ppp
> ip route-cache flow
> load-interval 30
> dialer pool 1
> dialer-group 1
> !
> ip route 0.0.0.0 0.0.0.0 Dialer0
> !
> ip nat inside source list nat interface Dialer0 overload
> ip nat inside source static tcp 10.0.1.61 80 interface Dialer0 80
> !
> ip access-list standard nat
> remark Define which systems will be NAT-translated
> permit 10.0.1.0 0.0.0.63
> !
> ip access-list extended from-internet
> remark ACL for incoming traffic from the Internet
> deny ip 10.0.0.0 0.255.255.255 any
> deny ip 172.16.0.0 0.15.255.255 any
> deny ip 192.168.0.0 0.0.255.255 any
> deny ip 127.0.0.0 0.255.255.255 any
> deny ip host 255.255.255.255 any
> deny ip host 0.0.0.0 any
> permit icmp any any echo-reply
> permit icmp any any time-exceeded
> permit icmp any any unreachable
> permit igmp any any
> permit esp any any
> permit gre any any
> permit udp any eq ntp any eq ntp
> permit tcp any any eq www
> deny ip any any log
> ip access-list extended from-network
> remark ACL for incoming traffic to the router from the network
> deny ip host 255.255.255.255 any
> deny ip 127.0.0.0 0.255.255.255 any
> permit ip any any
> !
> dialer-list 1 protocol ip permit
>
> --
> Jonathan Wright mail@djnauk.co.uk
> http://djnauk.co.uk
>
> cat /dev/random (you never know, you may see something you like!)
>
> 2.6.17-gentoo-r3-djnauk-b1 AMD Athlon(tm) XP 2100+
> up 9 days, 23:47, 1 user, load average: 0.24, 0.41, 0.61