FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Cisco 2821 port forwarding





pjv
Where using Cisco 2821 ISR router in our office. We only have one public ip address which is used by the router so our web server is configured with a private ip address (192.168.1.1). I configured port forwarding in the router:

ip nat inside source static tcp 192.168.1.1 80 interface GigabitEthernet0/0 80

which works for people browsing from outside our LAN. How come that PCs inside the LAN (i.e. 192.168.1.5) cannot see the webpages in our server. What comes out is the login prompt of the cisco router?

It is ironic that PCs of the same private network cannot browse our web server while if you access it from outside the LAN, you can perfectly view the webpage.

what do i need to add in my configuration?
ocalhoun
Have you tried to access the files on your server directly? (without using the internet)
I think you'll have to do that, because with only one public IP, it would look to any DNS like your server is requesting to be pointed to itself, and that just dosen't work.
pjv
yes, i did try to access the server directly by using its ip address or computer name

i.e. http://192.168.1.5/mywebpage/index.htm
http://webserver/mywebpage/index.htm

and it works but problem is i have accounts in gotdns.org like http://mywebserver.gotdns.org which points to our public ip address used by the cisco router which also points to our web server through port forwarding

ip nat inside source static tcp 192.168.1.1 80 interface GigabitEthernet0/0 80

Now, when i browse http://mywebserver.gotdns.org from inside the LAN it doesn't work but from outside the LAN it works.

For short, the router doesn't allow me to browse my web server if i use full domain name like for example http://mywebserver.gotdns.org pointed to my web server.

Hopefully my explanation is still clear. Embarassed
cisco_user
This is the first time we have experienced Cisco and seem to be having some trouble. The issue is that we are unable to access locally host websites using their WAN domain name from the LAN.


@Irmoore
I don't mean to be rude, but i find it hard to believe that it is impossible to do in this router. A $100 linksys router does it with the click of a button. Also if you read the questions i referenced they seem to have been able to do it, i just can't replicate the results.

lrmoore:
Yeah, I know a $50 Linksys router can do it and a $15,000 Cisco can't. That's just the way it is. There's a whitepaper on CCO "nat on a stick" where they try to make it work using loopbacks, but TAC does not support it and I've never been able to make it work. PIX/ASA firewalls have a feature for "dns doctoring" where the appliance substitutes the public IP for the private IP in the dns response to the client, but that means the dns server must also live outside the appliance in relation to the internal hosts. No such feature in IOS.

DNS is still the simplest solution, but yes, you would have to add another primary zone for the internet domain with A records using the private IP addresses.

@Jon - Yes, typically the source IP does change to the global IP/pool set in the router, but not in this case. There is still the problem of actually traversing the outside and inside designated nat interfaces on the Cisco. NAT only works when the packets actually pass the interface that is designated either inside or outside before any nat rules are even looked at. The source IP cannot change in this case because it does not actually leave out through the "outside" interface to be natted then bounced back inside. That's what they tried to do with loopbacks in the nat-on-a-stick attempts.
Here's the document:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
cisco_user
This is the first time we have experienced Cisco and seem to be having some trouble. The issue is that we are unable to access locally host websites using their WAN domain name from the LAN.


@Irmoore
I don't mean to be rude, but i find it hard to believe that it is impossible to do in this router. A $100 linksys router does it with the click of a button. Also if you read the questions i referenced they seem to have been able to do it, i just can't replicate the results.

lrmoore:
Yeah, I know a $50 Linksys router can do it and a $15,000 Cisco can't. That's just the way it is. There's a whitepaper on CCO "nat on a stick" where they try to make it work using loopbacks, but TAC does not support it and I've never been able to make it work. PIX/ASA firewalls have a feature for "dns doctoring" where the appliance substitutes the public IP for the private IP in the dns response to the client, but that means the dns server must also live outside the appliance in relation to the internal hosts. No such feature in IOS.

DNS is still the simplest solution, but yes, you would have to add another primary zone for the internet domain with A records using the private IP addresses.

@Jon - Yes, typically the source IP does change to the global IP/pool set in the router, but not in this case. There is still the problem of actually traversing the outside and inside designated nat interfaces on the Cisco. NAT only works when the packets actually pass the interface that is designated either inside or outside before any nat rules are even looked at. The source IP cannot change in this case because it does not actually leave out through the "outside" interface to be natted then bounced back inside. That's what they tried to do with loopbacks in the nat-on-a-stick attempts.
Here's the document:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
Marcuzzo
Quote:
which works for people browsing from outside our LAN. How come that PCs inside the LAN (i.e. 192.168.1.5) cannot see the webpages in our server. What comes out is the login prompt of the cisco router?


have you checked your access list?
http://www.ciscosystems.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
Related topics
PortForward
MSN messenger error
Port Forwarding
Help with Firewall and Antivirus
I was wondering something if anyone might know the awnser...
Build Web Hosting Server Help!
Linux Anti-virus
Remote Desktop Problem
Speed up Internet?
Opening port 8080
routing a localhost port to an extarnal ip so that programs
Port forwarding problem on bit torrent client
Warcraft III port forwarding
port forwarding
Reply to topic    Frihost Forum Index -> Computers -> Computer Problems and Support

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.