getting to the inside via the out side

DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
OK I know this is not how things should be done, But I would like to know how its possible to set this up.

I have a router with two internal networks and an external link to the ISP.

On one of the internal networks there is a webserver that has a static nap from the external IP address, So people outside the network get to it.

What I want to set up is so that people on the other internal network can access the webserver via its public IP address.

see digram attached.

so say the client PC sends an http packet to 68.26.45.125, how can i get the router to translate this in to 172.16.20.25 and send it back to the other internal network.

Any takers on a solution?
  • If you can't explain it simply, you don't understand it well enough. Albert Einstein
  • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.

Comments

  • ColbyGColbyG Member Posts: 1,264
    Still refusing to configure DNS properly?
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    nope :) i have set this up with dns. but this is going to get just as messy. imagen your hosting a single mirror server for hotmail.com. say serverA.hotmail.com. then i have to set up a dns zone for hotmail.com on my dns sever. But i dont own hotmail.com so i have to insure any other requests to *.hotmail.com from inside vlients go to the public DNS servers. I also have to duplicate my fire wall policy between the outside to webserver and inside to webserver. (as hotmail.com require specific policies and as far as there consernned my inside clients are no different to any other public pc. ok thats find, but not i going to mirror servers for company x,y,z and so on. each requires a new dns zone and more duplicated firewall rules. now as traffic from inside clients is lickly to be very low to the mirrored webservers. I could spend time setting up lots of dns. or if possible ican treat my inside clients like any other public pc. not saying its best practice, but it seems crazy there is not an easy way to achive this. in fact there must be and i will find out how :)
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    so far i can do this with dns, and i can kind of get nat hairpinning to work in a test network. but theres got to be another way :)
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • ColbyGColbyG Member Posts: 1,264
    DevilWAH wrote: »
    nope :) i have set this up with dns. but this is going to get just as messy. imagen your hosting a single mirror server for hotmail.com. say serverA.hotmail.com. then i have to set up a dns zone for hotmail.com on my dns sever. But i dont own hotmail.com so i have to insure any other requests to *.hotmail.com from inside vlients go to the public DNS servers. I also have to duplicate my fire wall policy between the outside to webserver and inside to webserver. (as hotmail.com require specific policies and as far as there consernned my inside clients are no different to any other public pc. ok thats find, but not i going to mirror servers for company x,y,z and so on. each requires a new dns zone and more duplicated firewall rules. now as traffic from inside clients is lickly to be very low to the mirrored webservers. I could spend time setting up lots of dns. or if possible ican treat my inside clients like any other public pc. not saying its best practice, but it seems crazy there is not an easy way to achive this. in fact there must be and i will find out how :)

    I'm not following. White space might help.

    So you're using a domain that isn't yours? Or part of your domain is hosted externally? In my company, we do absolutely no NAT hairpinning. Anything that sits in the DMZ and needs to be accessed internally is handled via DNS. This is true for the other companies I've worked with as well. NAT hairpinning is a nasty hack, IMO, and I don't see why DNS works for everyone else, but not for you.
  • burbankmarcburbankmarc Member Posts: 460
    I agree with Colby. Setup an internal DNS server, and a public DNS server. It's as simple as that.

    I had to clean up all the crazy internal NAT nonsense when I got to my current company. It's just so sloppy.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    First of all sorry about the lack of white space, for some reason my phone refuses to enter new lines correctly. (does in one web browser and not the other). and theres no way to go back and edit post on my phones if i forget.


    Back to the issue

    PubMLST Mirror Sites

    I host a mirror for this website. However I don't own the pubmlst.org domain.

    So if one of my client PC's clicks on to the mirror I have two options. set up DNS so that ukmirror3.pubmlst.org resolved to my internal IP address, but any other request to pubmlst.org has to go to the public DNS system.

    Of course though they guy who runs this has remote access to the server, so he might set up a second website on it lets say called UKmirror4.pubmlst.org, and point a DNS entry to it. (its our hard ware and our network, but he has full control over the server, on its own prvt network). But that site wont work for my clients now, as untill I set up a new DNS entry as they will by getting the public ip from his DNS servers.

    Now if I had two routers it is easy to do. Primary router connects to the ISP, the client network and has an uplinks to a second router that holds the public IP address range and connects to the webserver network.

    Now I can just set up the routes so that the clients can talk to the servers on there public IP's (the natting of the server public IP takes place on the second router). No need for setting up mutiply DNS zones, or having to make changes when changes are ade to the webserver mirrors or new ones are added, and now all the DNS is managed as it should be by the company that owns the name.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • kryollakryolla Member Posts: 785
    try setting up nat to a loopback interface
    Studying for CCIE and drinking Home Brew
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    I looked at the nat to loopback and yer that looks good and does work. but theres a lot of Processor overhead..

    but then I came across this.

    Network address translation of DNS responses - CT3,. which looks like the best solution by rewriting the address inside the DNS responces as they come in.

    Now just got to test it.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    That was a Doh!! why have I not come across this before moment!!

    On cisco routers if you have a static nat mapping with out options, ie.
    ip nat inside source static x.x.x.x y.y.y.y

    Then the router will automaticaly rewrite the IP address inside DNS responces to match..

    This does not work if you are using PAT in the nat statments its has to be a direct NAT mapping.

    however there is nothing stopping you from adding PAT mappings to the same IP address and this will work fine, but the DNS rewrite will always use the direct NAT statment...

    So there's an easy way to get what I wanted, with out NAT hairpinning or setting up extra DNS zones. :)
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • chmorinchmorin Member Posts: 1,446 ■■■■■□□□□□
    DevilWAH wrote: »
    That was a Doh!! why have I not come across this before moment!!

    On cisco routers if you have a static nat mapping with out options, ie.



    Then the router will automaticaly rewrite the IP address inside DNS responces to match..

    This does not work if you are using PAT in the nat statments its has to be a direct NAT mapping.

    however there is nothing stopping you from adding PAT mappings to the same IP address and this will work fine, but the DNS rewrite will always use the direct NAT statment...

    So there's an easy way to get what I wanted, with out NAT hairpinning or setting up extra DNS zones. :)

    I like to call this: Win!
    Currently Pursuing
    WGU (BS in IT Network Administration) - 52%| CCIE:Voice Written - 0% (0/200 Hours)
    mikej412 wrote:
    Cisco Networking isn't just a job, it's a Lifestyle.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    If any one is interested there is more details what I was trying to achieve and the methods to solve it you can use here.

    Visiting the outside from the inside
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • creamy_stewcreamy_stew Member Posts: 406
    Never mind me, I'm just tagging this for future review. Never could get hairpin routing working acceptably on 1812/2821. Seemed to work on a ASA, though.
    Itchy... Tasty!
    [X] DCICN
    [X] IINS

    [ ] CCDA
    [ ] DCICT
Sign In or Register to comment.