I have a PAT configuration set up on my Cisco 851 Router. It port forwards from a single public IP ports to servers in my internal network that use the Class C range 192.168.1.1 (the router) through
192.168.1.254. The configuration works perfectly.
The problem I am having is specific to HTTP. Whenever users from the Internet use a web browser to connect to my Internet IP address, they get a web page displayed in their browser. However, when I try to navigate to the same IP from a workstation on the internal network (192.168.1.101) I get a page cannot be displayed error.
This seemed to work fine with my Linksys router previously but not Cisco.I think this is some NAT configuration issue. What do I need to do to get connections from the internal network to behave the same way as users connectiing from the Internet?
| I have a PAT configuration set up on my Cisco 851 Router. It port forwards from a single public IP ports to servers in | my internal network that use the Class C range 192.168.1.1 (the router) through 192.168.1.254. The configuration works | perfectly. | | The problem I am having is specific to HTTP. Whenever users from the Internet use a web browser to connect to my | Internet IP address, they get a web page displayed in their browser. However, when I try to navigate to the same IP from | a workstation on the internal network (192.168.1.101) I get a page cannot be displayed error. | | This seemed to work fine with my Linksys router previously but not Cisco.I think this is some NAT configuration issue. | What do I need to do to get connections from the internal network to behave the same way as users connectiing from the | Internet?
Hi Paul. When you want to connect to the webserver from the internal network you should use the private address of the server (not the public one). Do you have internal DNS servers or do you use external servers? If you have internal DNS you should create an A record for the webserver that would point to it's private address.
I know that on a firewall it is not permited (by design) to have the same traffic go out an interface and come back through the same interface. That is what is happening when you try to access the public address of your webserver. The traffic goes from inside to outside interface, and then has do go back.
On a PIX or ASA your situation can be resolved using DNS doctoring
Says that DNS fixups are performed by IOS however several threads on this forum have gone over the ground and I have noticed no working solution so far.
Please post solution if you find one.
It would be incredible if this was not supported in IOS.
This same configuration worked with my older Netopia router. I realize that populating internal DNS records will work, but I want to be able to test to see if the router is correctly NAT'ing port 80 connection to the web server. If I use internal DNS, there is no way to test that.
If your server is in your inside network then there is no need to go through the router. You should access the server directly using it's privat address. You wrote in your previous post that there is no problem to access the server from the internet (hence the router is NAT-ing port 80 correctly).
| This same configuration worked with my older Netopia router. I realize that populating internal DNS records will work, | but I want to be able to test to see if the router is correctly NAT'ing port
80 connection to the web server. If I use | internal DNS, there is no way to test that. | | | On Mon, 10 Mar 2008 09:06:20 +0100, Morph wrote: | | >In the message Paul wrote: | >
| >| I have a PAT configuration set up on my Cisco 851 Router. It port forwards from a single public IP ports to servers in | >| my internal network that use the Class C range 192.168.1.1 (the router) through 192.168.1.254. The configuration works | >| perfectly. | >| | >| The problem I am having is specific to HTTP. Whenever users from the Internet use a web browser to connect to my | >| Internet IP address, they get a web page displayed in their browser. However, when I try to navigate to the same IP from | >| a workstation on the internal network (192.168.1.101) I get a page cannot be displayed error. | >| | >| This seemed to work fine with my Linksys router previously but not Cisco.I think this is some NAT configuration issue. | >| What do I need to do to get connections from the internal network to behave the same way as users connectiing from the | >| Internet? | >
| >Hi Paul. | >When you want to connect to the webserver from the internal network you | >should use the private address of the server (not the public one). | >Do you have internal DNS servers or do you use external servers? | >If you have internal DNS you should create an A record for the webserver | >that would point to it's private address. | >
| >I know that on a firewall it is not permited (by design) to have the | >same traffic go out an interface and come back through the same | >interface. That is what is happening when you try to access the public | >address of your webserver. The traffic goes from inside to outside | >interface, and then has do go back. | >
| >On a PIX or ASA your situation can be resolved using DNS doctoring |
I understand, but I do want to go through the router. I need to make sure that when people resolve my website to the Internet, it is NAT'd correctly by my Cisco router and sent to the right webserver. I didn't mention that I am hosting 2 websites on a single IP address so being able to test these are working is critical.
So while I realize I can easily get to the webservers directly by their internal hostnames, I need a way to test that my NAT configuration is up and running correctly. I was able to do this using other routers, just not Cisco. I'm thinking there is some command line config I need to allow traffic to flow between the 2 interfaces but I can't be certain.
Any suggestions welcome!
--Paul
populating internal DNS records will work,
80 connection to the web server. If I use
from a single public IP ports to servers in
through 192.168.1.254. The configuration works
Internet use a web browser to connect to my
However, when I try to navigate to the same IP from
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.