http://www.dslreports.com/forum/r20780916 en Wed, 11 Nov 2009 05:04:48 EDT Wed, 11 Nov 2009 05:04:48 EDT http://www.dslreports.com/forum/remark,20783606 anon : Hmm looks like the 'ip nat outside source' statement will rewrite the DNS but it also makes my webserver inaccessible from the outside. So that's no good. I wonder if my syntax was incorrect.. been trying to understand when the ip nat outside source statement can be used.]]> http://www.dslreports.com/forum/remark,20783606 Sun, 13 Jul 2008 07:55:38 EDT http://www.dslreports.com/forum/remark,20783584 anon : i tried searching for it too first but I must have used the wrong terms. So I did some digging into the DNS and it's half a solution. Maybe someone knows how to improve this.

In this Cisco doc »www.cisco.com/en/US/tech/tk648/t···3b.shtml it states that any dns entries entered as a outside source will be remapped.

So I tried this and it worked. If I do a dns lookup for www.mywebsite.com it resolves as 192.168.1.5
ip nat outside source static 24.25.20.10 192.168.1.5

The cavaet I found was that there's no provisions for multiple IPs in the port ranges. So if you had a web server running on 80 and a different mail server on 25, the IOS cannot choose between both. That's because when a DNS query goes out it doesn't know which port the destination is going to.

So even with the DNS rewrite it's half a solution. I tried searching under NAT reflection but didn't come up with anything for IOS. Bummer but at least I learned a new term!]]> http://www.dslreports.com/forum/remark,20783584 Sun, 13 Jul 2008 07:43:57 EDT http://www.dslreports.com/forum/remark,20782653 mr_dirt : I'm nearly positive that this has come up before, but NAT applies fixup on DNS replies such that internal hosts end up receiving the translated inside addresses in DNS queries for a given host, if IOS NAT carries a static translation for said host. The only doc that says anything about this is »www.cisco.com/en/US/technologies···2b9.html. It sucks that there are no other docs that describe the particulars, but I don't suppose that there are particulars to describe; it just works.

Edited to add: I posted this very same link in an earlier thread that asked the same question some time ago:

»[Config] NAT static]]> http://www.dslreports.com/forum/remark,20782653 Sat, 12 Jul 2008 22:54:46 EDT http://www.dslreports.com/forum/remark,20782248 sporkme : What your linksys and likely everything else out there does is sometimes known as "nat reflection". The firewall/router just creates a rule that matches requests from inside to it's own outside IP+port as something of an exception.

Judging from the responses here, this is not a standard Cisco NAT feature. However I would imagine there must be some trickery that can accomplish the same thing. Policy routing perhaps?

In short, a rule matching traffic from 192.168.1.0/24 and destined to 24.25.20.10 seems feasible. After that, I'm lost. I'd put money on policy routing being able to do this though. I just don't know jack about it other than very simple route overrides.]]> http://www.dslreports.com/forum/remark,20782248 Sat, 12 Jul 2008 21:09:55 EDT http://www.dslreports.com/forum/remark,20782027 anon : Thanks. Yeah, I'm probably too lazy to maintain another DNS server. I will probably use the hosts file route. Pity cause it was never a problem with my Linksys router.]]> http://www.dslreports.com/forum/remark,20782027 Sat, 12 Jul 2008 20:05:07 EDT http://www.dslreports.com/forum/remark,20781566 tubbynet : specifically, you are looking to perform DNS redirection using your router. while i have looked to find something like this, i haven't been able to successfully implement it.
with most of my internal stuff, i have just used a spare pc and put centOS on it. when using BIND with WebMin, the setup is cake and it allows you to redirect internally the way it should be done.

q.]]> http://www.dslreports.com/forum/remark,20781566 Sat, 12 Jul 2008 18:07:19 EDT http://www.dslreports.com/forum/remark,20781472 anon : Hmm... from the FAQ it reads that internal users should access the internal IP directly. That seems cumbersome because I can only see two ways around it. The first is to run a local DNS server. The second is to edit the local hosts file.

Is there another way in IOS to route certain IP and port ranges to another IP? So if IOS sees a request internally to a 24.25.20.10 888 address it repackages it and reroutes it to 192.168.1.5 888?]]> http://www.dslreports.com/forum/remark,20781472 Sat, 12 Jul 2008 17:41:17 EDT http://www.dslreports.com/forum/remark,20781200 aryoba : Check out this forum FAQ for some descriptions.

»Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices]]> http://www.dslreports.com/forum/remark,20781200 Sat, 12 Jul 2008 16:26:30 EDT http://www.dslreports.com/forum/remark,20780916 anon : I have IOS doing a basic PAT overload and it works great. But I have an issue with seeing my local servers because it resolves to the external IP and it doesn't route.

Example, my local network is 192.168.1.0

Web server 192.168.1.5
Computer 192.168.1.100
External IP 24.25.20.10

I have an internal static nat that maps port 88 to the internal webserver.
ip nat inside source static tcp 192.168.1.5 88 interface Ethernet0 88

When I look from my local PC (192.168.1.100) to www.mywebsite.com:88 (resolves to 24.25.20.10) it doesn't route to 192.168.1.5. External people entering the Cisco box works fine, but not internally. How do I configure it so that the IOS also routes internal users? So when my packet goes to the IOS, it knows to route that like I was an external user. My old linksys box used to figure this out fine.]]> http://www.dslreports.com/forum/remark,20780916 Sat, 12 Jul 2008 15:14:49 EDT