5

I have a server statically NAT’d using a registered IP address and it is accessible from the outside. The problem is I cannot access my server from the inside using the registered IP address with a host computer that is connected on the same LAN as my server.

I tried to deactivate ACL and CBAC, I also tried to create some route maps but there is no way I can make it work.

I’m new to Cisco and now I ‘m start thinking that may be it is a wanted behavior, so I need to know if it is possible but also a bad idea to connect from the same LAN on my NAT’d server using the public address.

Thank you.

P.S. I don't have any problem connecting to the server using its private address.

  • Perhaps this isnt a Cisco PIX or ASA? If so my answer below might not work for you. – pauska Jun 16 '09 at 20:35
  • Sorry, I should I have said the router is a Cisco 1811. I know the alias command is supported on this router but from the link provided by Pauska about this command, I understand that DNS Doctoring doesn’t seem to be supported on any device other than ASA/PIX Firewall, I’m I right? Destination NAT “dnat” can also be use apparently, but from what I found I don’t think the C1811 support it either. –  Jun 17 '09 at 14:58

3 Answers3

7

Remember, when your firewall/router/whatever is doing NATing, the internal box that has a public IP NATed to it doesn't know anything about the NATed address.

So, in order for this to work, your packet has to leave your internal LAN, go out to the external network, then come back in via the firewall/router/whatever that's doing the NATing, and finally be handed to the internal box (which, again, doesn't generally know anything about the NATing).

There are some work-arounds that are possible (see Cisco alias command, if you're using Cisco), but in general it's not really something you want to do.

This is why most networks that contain internal hosts and externally accessible (public) hosts will maintain separate DNS servers for internal and external hosts. You can setup your external DNS server so that www.example.com points to your external IP, and setup your internal DNS server so that www.example.com point so your internal IP. If you're using BIND, then views make this quite easy.

Christopher Cashell
  • 9,128
  • 2
  • 32
  • 44
2

You'll need to use the "alias" command to make this work.

See: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml

NB!: The ASDM does not support this command, you have to do it by CLI.

pauska
  • 19,620
  • 5
  • 57
  • 75
0

This answer is clearer about why it doesn't work.

This is standard behavior. Network Address Translation is understood by the firewall to be ACROSS the network interfaces, and is typically configured based on the direction of traffic. IOW, the firewall is configured to translate INBOUND traffic to the address received at the EXTERNAL interface, and send it along.

Pauska noted one way you can accomplish this if it is required. What we do here is access by name, and have the internal DNS provide the internal address of the server while the external DNS gives the external address.

Community
  • 1
tomjedrz
  • 5,974
  • 1
  • 16
  • 26