Cisco router port forwarding works from outside networks but not from the local network

0

I have a Cisco Professional Express router. This is it's current configuration:

#show run
Building configuration...

Current configuration : 6550 bytes
!
! Last configuration change at 10:56:18 PCTime Wed Jan 15 2020 by admin
!
version 15.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname <private>
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone PCTime 2 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name yourdomain.com
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-<private>
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-<private>
 revocation-check none
 rsakeypair TP-self-signed-<private>
!
!
crypto pki certificate chain TP-self-signed-<private>
 certificate self-signed 01
<private>
        quit
license udi pid <private> sn <private>
!
!
username <private>
username <private>
!
redundancy
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description <private>
 ip address 1.1.1.221 255.255.255.254
 no ip proxy-arp
 ip nat outside
 ip nat enable
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
!
interface GigabitEthernet0/1
 ip address 2.2.2.1 255.255.255.0 secondary
 ip address 3.3.3.1 255.255.224.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly in
 duplex auto
 speed auto
!
router bgp 65008
 bgp log-neighbor-changes
 network 2.2.2.96 mask 255.255.255.224
 timers bgp 30 90
 neighbor 1.1.1.220 remote-as 5408
 neighbor 1.1.1.220 send-community
 neighbor 1.1.1.220 remove-private-as
 neighbor 1.1.1.220 soft-reconfiguration inbound
 neighbor 1.1.1.220 route-map bgp-grnet-in in
 neighbor 1.1.1.220 route-map bgp-grnet-out out
!
ip forward-protocol nd
!
ip bgp-community new-format
ip as-path access-list 3 permit ^$
ip as-path access-list 4 permit ^5408.* 3333$
ip as-path access-list 4 permit ^5408$
ip as-path access-list 4 permit ^5408 2546$
ip as-path access-list 4 permit ^5408 3268$
ip as-path access-list 4 permit ^5408 3323.*
ip as-path access-list 4 permit ^5408 5470$
ip as-path access-list 4 permit ^5408 5489$
ip as-path access-list 4 permit ^5408 6744$
ip as-path access-list 4 permit ^5408 6867$
ip as-path access-list 4 permit ^5408 8248$
ip as-path access-list 4 permit ^5408 8253$
ip as-path access-list 4 permit ^5408 8278$
ip as-path access-list 4 permit ^5408 8522$
ip as-path access-list 4 permit ^5408 8530$
ip as-path access-list 4 permit ^5408 8581$
ip as-path access-list 4 permit ^5408 8611.*
ip as-path access-list 4 permit ^5408 8617$
ip as-path access-list 4 permit ^5408 8618$
ip as-path access-list 4 permit ^5408 8643.*
ip as-path access-list 4 permit ^5408 8700$
ip as-path access-list 4 permit ^5408 8762$
ip as-path access-list 4 permit ^5408 8991$
ip as-path access-list 4 permit ^5408 9069$
ip as-path access-list 4 permit ^5408 12364$
ip as-path access-list 4 permit ^5408 12402$
ip as-path access-list 4 permit ^5408 1241$
ip as-path access-list 4 permit ^5408 2686$
ip as-path access-list 4 permit ^5408 3329$
ip as-path access-list 4 permit ^5408 6844$
ip as-path access-list 4 permit ^5408 6799$
ip as-path access-list 4 permit ^5408 8212$
ip as-path access-list 4 permit ^5408 8313$
ip as-path access-list 4 permit ^5408 8335$
ip as-path access-list 4 permit ^5408 8951$
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool NAT-POOL 2.2.2.97 2.2.2.125 netmask 255.255.255.224
ip nat inside source static tcp 3.3.3.1 80 interface GigabitEthernet0/0 1970
ip nat inside source route-map nat pool NAT-POOL overload
ip nat inside source static 3.3.3.15 2.2.2.110
ip default-network 2.2.2.0
ip route 2.2.2.96 255.255.255.224 Null0 254
!
!
route-map bgp-grnet-in permit 10
 match as-path 4
 set local-preference 120
!
route-map bgp-grnet-out permit 10
 match as-path 3
 set community 5408:120
!
route-map nat permit 10
 match ip address 101
!
!
access-list 1 permit 4.4.4.112
access-list 1 permit 5.5.5.4
access-list 1 permit 2.2.2.14
access-list 1 permit 6.6.6.0 0.0.0.255
access-list 101 remark === PAT ===
access-list 101 permit ip 3.3.3.0 0.0.255.255 any
access-list 101 permit ip 6.6.6.0 0.0.0.255 any
!
control-plane
!
!
banner motd ^CCC
<private>
!
line con 0
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 1 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 1 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

I changed all the IPs with dummy ones. I have an NGINX server running in the local network at the address 3.3.3.1 and listening on port 80. I set a port forwarding rule as it can be seen in the config file between the two:

ip nat inside source static tcp 3.3.3.1 80 interface GigabitEthernet0/0 1970

When I type 1.1.1.221:1970 from my smartphone while connected with 4G, it works, I see the "It works!" page from NGINX. If I type it from the local network it doesn't work. In Chrome it says ERR_CONNECTION_REFUSED. Is there something wrong in the configuration?

Tasos

Posted 2020-01-15T10:17:27.207

Reputation: 149

Answers

1

You are trying to create a loopback connection as follows:

local -> router -> internet > router > local

The router implements request-answer algorithms and is not programmed to handle this case where the answer is actually another request. Meaning that it implements "request-answer" rather than "request-request-answer-answer".

harrymc

Posted 2020-01-15T10:17:27.207

Reputation: 306 093

So there is no way to use the same IP to access the NGINX both internally and externally? I wish to attach this IP to a domain – Tasos – 2020-01-15T11:07:04.237

Most consumer routers cannot do it. – harrymc – 2020-01-15T11:31:05.277

Probably DD-WRT can do it, if available for your router, but take care if you decide to install. – harrymc – 2020-01-17T08:43:23.817

It's not an option unfortunately. We might actually use a dedicated separate internet line for the server, just to solve this problem. I think another solution would be to have a DNS server in the local network, assigning the same domain to a local ip? And then make the router's primary DNS server, the local DNS server. There is a Windows Server 2012R in the local network, acting as a domain controller, but I cant make the whole thing work so far. – Tasos – 2020-01-17T08:52:35.633

Coming back to this, I just used a TD-W9970 TP-Link router that costs under 40$ and it does work. It doesn't look like this is a special function – Tasos – 2020-02-21T06:46:41.117

@Tasos: This depends on the firmware, not on the hardware. Cost is no measure. – harrymc – 2020-02-21T07:23:15.137

Asked: 2020-01-15T10:17:27.207

Viewed: 31 times

Active: 2020-01-15T10:53:37.730