[nsp] NAT question

Bruce Pinsky bep at whack.org
Tue Feb 3 17:25:12 EST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bruce Pinsky wrote:

| Jay Nakamura wrote:
|
| | I have a quick question on NAT that I haven't found the answer to.
| |
| | Let's say I have the following configuration,
| |
| | interface FastEthernet0/1
| |  ip address 10.0.0.2 255.255.255.0
| |  ip nat inside
| | !
| | interface FastEthernet0/2
| |  ip address 10.0.1.1 255.255.255.0
| |  ip nat outside
| | !
| | ip nat inside source list 101 interface FastEthernet0/2 overload
| | ip nat inside source static tcp 10.0.0.1 80 10.0.10.1 80 extendable
| | access-list 101 permit ip 10.0.0.0 0.0.0.255 any
| | ip route 0.0.0.0 0.0.0.0 10.0.1.2
| |
| | Let's say 10.0.0.1 is a web server, 10.0.10.1 has the DNS www.foobar.com
| |
| | Now, the issue is, the users inside would like to connect to the web
| server
| | at 10.0.0.1 but use www.foobar.com as the address.
| |
| | Well, that doesn't work from inside the network since www.foobar.com will
| | resolve to 10.0.10.1, and NAT gets confused when it hits the router.  (At
| | least my test bed router does, running 12.2(17a))
| |
| | Is there a way to configure NAT so you can get to 10.0.10.1 from the
| inside
| | network?
| |
|
| Why not solve this with DNS?  If you are running BIND 8.x or 9.x you should
| be able to use views to provide different IP address resolution to the
| hosts inside vs the hosts outside your network.
|

One of the other things I thought about here is that the static NAT
translation is only for port 80.  I haven't tested it, but perhaps that is
preventing the fixup of the DNS requests for clients inside the network to
the DNS server outside.  I'd try removing the port restriction and doing a
straight address->address translation and see if that fixes it.  Then you
could control the security with an ACL rather than the NAT rules.

- --
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)

iD8DBQFAIB/IE1XcgMgrtyYRAm2dAJ9JFFIsNgv5nZcDI8+PzZYYPqcwsgCgt3iH
c3oXrYn2VqeDB03kI1ElPx4=
=jX7e
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list