1

I have a web server in my private network that has the ip address 192.168.1.134. I need to allow users to access this web server from both the internet and the private network. The public ip address is 85.185.236.12. I setup static nat (192.168.1.136 => 85.185.236.12) on the wan interface. Now, when we access it from the internet everything works perfectly, but when we try to access it from the LAN we can't access the webserver. I use cisco 1841 router and i think nat not working when i try to access it. How can we access the web server from the LAN? Thanks.

Mosayeb
  • 11
  • 3
  • Start by telling us what happens when you try to access it from the LAN, then give us some details on what make/model Cisco (router?) you're using. If you want this question (and future) questions to get attention instead of down votes and close votes then please start providing more details in your questions. – joeqwerty Nov 23 '14 at 18:37
  • Hairpinning. It isn't all *that* scary. – Magellan Nov 23 '14 at 23:20
  • Hairpinning the traffic through the router's LAN side would make this function, but adds extra load to the router and config complexity to his equipment (and future admins). Plus 'the website is down' becomes a multi-step process to troubleshoot. – cpt_fink Nov 24 '14 at 03:08

2 Answers2

3

I've just answered a similar question at https://supportforums.cisco.com/discussion/12102421/nat-hairpinning, let me repeat the answer here:

First of all, such a situation is encountered often enough.

Second, while NAT theoretically may be a solution, in practice particular vendor implementations of NAT can be restrictive and fail to support this.

One typical solution is to address the server located in the internal network by FQDN, not by the IP address. Two DNS zones are needed - one external, mapping server.example.org to the publicly known IP, and an internal, mapping the same FQDN to the private IP address of the server.

Up to this point, looks like a summary of others' comments. But here you have something fresh:

If this solution seems unacceptable, there is another one, it avoids NAT too, all that you need is to configure the TCP/IP stack on the server and the LAN hosts. Do this:

(1) on the server: add public IP address (85.185.236.12 in your case) as a secondary IP address on the server's network interface with the 255.255.255.255 mask (web service or whatever you want on the server should listen on this IP address too)

(2) on LAN computers: add a host route for that public IP address, for example, for Windows hosts use the following command: route add 85.185.236.12 mask 255.255.255.255 192.168.1.134 (you can also use DHCP "static route" option to distribute the route). Or, if there is a L3 switch/router in between the clients and the Internet-facing router, configure that host route on this intermediate switch/router, not on the clients.

Sergio
  • 164
  • 9
1

I guess you are trying to access it from the LAN using it's public IP address - 85.185.236.12. Long story short - don't do that. Use named views (or some other implementation) and access it using it's LAN address.

drookie
  • 8,051
  • 1
  • 17
  • 27
  • yes, i try by public ip address. It's not possible to implement DNS or something like that in my network. do u think there is another way? – Mosayeb Nov 23 '14 at 18:44
  • Have you tried accessing it with the private ip address? – joeqwerty Nov 23 '14 at 19:03
  • yes, i can access it with the private ip address in the Local side. – Mosayeb Nov 23 '14 at 19:21
  • It's possible, but it's extremely effort-expensive, requires deep knowledge of IP stack of given equipment, and I highly doubt this is achievable with proprietary equipment like Cisco (though I may be wrong). My advice still stands. – drookie Nov 23 '14 at 19:25
  • Cisco uses outside-to-inside translation on the outside interface, and you are trying to reach your web server public address (which is not his, but it's router's) via the inside interface, thus translation never occurs. Linux netfilter/FreeBSD ipfw with ng are way more flexible when dealing with such rare cases. That is the reason of my skepticism about your intension to achieve this with Cisco. – drookie Nov 23 '14 at 19:35
  • If you have a support contract with Cisco - I guess asking this in their TAC is the best method to get the knowledge if this is possible. – drookie Nov 23 '14 at 19:36
  • 1
    So my guess is that you want to access it by it's FQDN, which resolves to the external ip address. If so, you could do this by setting up an internal DNS server for the DNS zone in question, or by populating the Hosts files on your client computers (not recommended). – joeqwerty Nov 23 '14 at 20:19