IOS and NAT reflection
I have a Cisco 1841(advanced IP services) with following setup:
As you can see, my inside local addresses are from 192.168.1.0/24 and inside global address is 194.22.12.1. I have done some port forwarding in Cisco1841:
In 192.168.1.7 PC there is a SSH server running on port 2222. If I connect from Internet(from outside global addresses) to this server using "ssh -l user 194.22.12.1 -p 2222" everything works. However, if I'm in the LAN and execute this very same command(ssh -l user 194.22.12.1 -p 2222), I'm not able to access the SSH server.
As I understand I need to set up NAT reflection? Any hints, how to achive this in IOS?
LAN <-> [192.168.1.254/24:Fa0/0]Cisco1841[Fa0/1:194.22.12.1/30] <-> Internet
As you can see, my inside local addresses are from 192.168.1.0/24 and inside global address is 194.22.12.1. I have done some port forwarding in Cisco1841:
ip nat pool NAT 192.168.1.7 192.168.1.7 netmask 255.255.255.0 ip nat inside destination list 150 pool NAT access-list 150 permit tcp any any range 2222 2224
In 192.168.1.7 PC there is a SSH server running on port 2222. If I connect from Internet(from outside global addresses) to this server using "ssh -l user 194.22.12.1 -p 2222" everything works. However, if I'm in the LAN and execute this very same command(ssh -l user 194.22.12.1 -p 2222), I'm not able to access the SSH server.
As I understand I need to set up NAT reflection? Any hints, how to achive this in IOS?
Comments
-
tomaifauchai
Member Posts: 301 ■■■□□□□□□□
You could use split-dns in the case you're resolving hostnames. With IP only, according to this, i'm afraid you can't.
networking - Cisco router - cannot access NATed outside IP from local network - Server Fault -
m4rtin
Member Posts: 170
tomaifauchai wrote: »You could use split-dns in the case you're resolving hostnames. With IP only, according to this, i'm afraid you can't.
networking - Cisco router - cannot access NATed outside IP from local network - Server Fault
ok, I see. However, any experience or comments about this policy-based routing, which might help in this case? -
DPG
Member Posts: 780 ■■■■■□□□□□
You will need a real firewall to do hairpin NAT correctly.
The dirty way to accomplish this is to add the external IP as a secondary address on the server. You then create a static route for your internal hosts.
Something like ip route *external ip* 255.255.255.255 *internal ip*. I think you also have to change something in the NAT statement to prevent ARP problems. I haven't tried this with IOS but it should work.
My suggestion is to make your application work with the network instead of the reverse.
Dear Software Developers,
Please stop hard coding IP addresses into your applications!
Thanks,
Network Admins of the World