Inside to Inside NAT
in [Cisco]
|
From: Jonathan Wright on 11 Apr 2007 17:08 I'm trying to configure my c837 to use inside-to-inside NAT, but I'm not getting anywhere, and everywhere I've looked on the Internet regarding this problem seams to tail off without resolve... Basically, I'm trying to access my internal web server using the global IP address assigned to Dialer0 on the router by my ISP. I have a DNS service external to the network which is provided this IP address and while I can use it externally (PAT from the Internet to the LAN is working fine), I can't get it to work when I'm on the network. In this case, internal replication of the DNS zone on the LAN is not really an option, and for the moment, I'm using a hosts file (but again, this isn't suitable, as some devices will need to access it both on and off the network). I'm just looking to get Inside-to-Inside NAT working so I can use the router to forward the request from the LAN to the server... Here's the main points of my config: interface Ethernet0 description to Network ip address 10.0.1.62 255.255.255.192 ip access-group from-network in no ip redirects no ip unreachables no ip proxy-arp ip nat inside no ip virtual-reassembly ip route-cache flow load-interval 30 ! interface ATM0 description to Zen Internet no ip address no ip redirects no ip unreachables no ip proxy-arp no atm ilmi-keepalive dsl operating-mode auto pvc 0/38 description BT ADSL Connection tx-ring-limit 3 encapsulation aal5mux ppp dialer dialer pool-member 1 ! interface Dialer0 ip address negotiated ip access-group from-internet in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect firewall out no ip virtual-reassembly encapsulation ppp ip route-cache flow load-interval 30 dialer pool 1 dialer-group 1 ! ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip nat inside source list nat interface Dialer0 overload ip nat inside source static tcp 10.0.1.61 80 interface Dialer0 80 ! ip access-list standard nat remark Define which systems will be NAT-translated permit 10.0.1.0 0.0.0.63 ! ip access-list extended from-internet remark ACL for incoming traffic from the Internet deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip host 255.255.255.255 any deny ip host 0.0.0.0 any permit icmp any any echo-reply permit icmp any any time-exceeded permit icmp any any unreachable permit igmp any any permit esp any any permit gre any any permit udp any eq ntp any eq ntp permit tcp any any eq www deny ip any any log ip access-list extended from-network remark ACL for incoming traffic to the router from the network deny ip host 255.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any permit ip any any ! dialer-list 1 protocol ip permit -- Jonathan Wright mail(a)djnauk.co.uk http://djnauk.co.uk cat /dev/random (you never know, you may see something you like!) 2.6.17-gentoo-r3-djnauk-b1 AMD Athlon(tm) XP 2100+ up 9 days, 23:47, 1 user, load average: 0.24, 0.41, 0.61
From: Thrill5 on 13 Apr 2007 18:20 You can't do inside to inside NAT. NAT is only done inside to outside and vice versa. By configuring interfaces as either "inside" or "outside" is how the router knows which packets to NAT. Scott "Jonathan Wright" <mail(a)djnauk.co.uk> wrote in message news:461d4e92$0$6954$fa0fcedb(a)news.zen.co.uk... > I'm trying to configure my c837 to use inside-to-inside NAT, but I'm not > getting anywhere, and everywhere I've looked on the Internet regarding > this problem seams to tail off without resolve... > > Basically, I'm trying to access my internal web server using the global IP > address assigned to Dialer0 on the router by my ISP. > > I have a DNS service external to the network which is provided this IP > address and while I can use it externally (PAT from the Internet to the > LAN is working fine), I can't get it to work when I'm on the network. > > In this case, internal replication of the DNS zone on the LAN is not > really an option, and for the moment, I'm using a hosts file (but again, > this isn't suitable, as some devices will need to access it both on and > off the network). > > I'm just looking to get Inside-to-Inside NAT working so I can use the > router to forward the request from the LAN to the server... > > Here's the main points of my config: > > interface Ethernet0 > description to Network > ip address 10.0.1.62 255.255.255.192 > ip access-group from-network in > no ip redirects > no ip unreachables > no ip proxy-arp > ip nat inside > no ip virtual-reassembly > ip route-cache flow > load-interval 30 > ! > interface ATM0 > description to Zen Internet > no ip address > no ip redirects > no ip unreachables > no ip proxy-arp > no atm ilmi-keepalive > dsl operating-mode auto > pvc 0/38 > description BT ADSL Connection > tx-ring-limit 3 > encapsulation aal5mux ppp dialer > dialer pool-member 1 > ! > interface Dialer0 > ip address negotiated > ip access-group from-internet in > no ip redirects > no ip unreachables > no ip proxy-arp > ip nat outside > ip inspect firewall out > no ip virtual-reassembly > encapsulation ppp > ip route-cache flow > load-interval 30 > dialer pool 1 > dialer-group 1 > ! > ip route 0.0.0.0 0.0.0.0 Dialer0 > ! > ip nat inside source list nat interface Dialer0 overload > ip nat inside source static tcp 10.0.1.61 80 interface Dialer0 80 > ! > ip access-list standard nat > remark Define which systems will be NAT-translated > permit 10.0.1.0 0.0.0.63 > ! > ip access-list extended from-internet > remark ACL for incoming traffic from the Internet > deny ip 10.0.0.0 0.255.255.255 any > deny ip 172.16.0.0 0.15.255.255 any > deny ip 192.168.0.0 0.0.255.255 any > deny ip 127.0.0.0 0.255.255.255 any > deny ip host 255.255.255.255 any > deny ip host 0.0.0.0 any > permit icmp any any echo-reply > permit icmp any any time-exceeded > permit icmp any any unreachable > permit igmp any any > permit esp any any > permit gre any any > permit udp any eq ntp any eq ntp > permit tcp any any eq www > deny ip any any log > ip access-list extended from-network > remark ACL for incoming traffic to the router from the network > deny ip host 255.255.255.255 any > deny ip 127.0.0.0 0.255.255.255 any > permit ip any any > ! > dialer-list 1 protocol ip permit > > -- > Jonathan Wright mail(a)djnauk.co.uk > http://djnauk.co.uk > > cat /dev/random (you never know, you may see something you like!) > > 2.6.17-gentoo-r3-djnauk-b1 AMD Athlon(tm) XP 2100+ > up 9 days, 23:47, 1 user, load average: 0.24, 0.41, 0.61
From: Rod Dorman on 16 Apr 2007 12:58 In article <EIqdnRmEtPmvn73bnZ2dnUVZ_vqpnZ2d(a)comcast.com>, Thrill5 <nospam(a)somewhere.com> wrote: >You can't do inside to inside NAT. NAT is only done inside to outside and >vice versa. By configuring interfaces as either "inside" or "outside" is >how the router knows which packets to NAT. It could be he's thinking that inside/outside interfaces are somehow related with private/public IP addresses. -- -- Rod -- rodd(at)polylogics(dot)com
|
Pages: 1 Prev: unable to connect after idle on 1841 Next: Cisco 501 6.3(5) - Warning message |