[TriLUG] Off Topic: Need Cisco Router Config Help

jason tower jtower at cerient.net
Thu Apr 3 22:33:22 EDT 2008 

well technically it's a dns issue, although the old linksys device 
implemented some sort of hack to get around it.  you're trying to 
connect to the external iface ip from inside, then have port forwarding 
redirect that traffic back inside.  i think you'll find that very few 
devices or setups will allow that to happen, the linksys was definitely 
an exception.

we see this exact situation at many of our clients, the easiest way we 
have found to deal with it is to run dnsmasq internally, then put the 
appropriate entries in the hosts file which dnsmasq consults before 
doing external lookups.  it's effectively a split-horizon dns setup but 
a lot easier to deal with than bind.  generally we'll run dnsmasq on the 
firewall doing both dns and dhcp but it works equally well on an inside 
host just doing dns, for the latter you only need one line in the config:

   domain=example.com

then populate the hosts file on that box with entries:

   www	172.20.1.10
   smtp	172.20.1.12

and so on, dnsmasq reads it by default and consults it before doing 
external queries.  point your internal hosts to the dnsmasq box for dns 
(usually via dhcp) and you're golden.  give me access to on a box on 
your lan and i'll have it running it about three minutes.

Tarus Balog wrote:
> It's definitely not a DNS issue. It's a NAT issue.
> 
> Let's assume the external address is 10.1.1.1 and the internal LAN is  
> 172.20.1.0/24.
> 
> If www.example.com points to 10.1.1.1, the router will NAT port 80 to  
> 172.20.1.10.
> 
>  From outside the LAN, http://www.example.com works fine.
> 
>  From inside the LAN, http://www.example.com connects to the router's  
> HTTP server (http://10.1.1.1), thus NAT is not working from the LAN.
> 
> The *workaround* is to set, on the LAN, www.example.com to point to  
> 172.20.1.10.
> 
> Now, when the router was a Linksys, www.example.com worked in all  
> places. I was wondering if there was something in the way Cisco does  
> NAT to make that work as well.
> 
> -T
> 
> _______________________________________________________________________
> Tarus Balog, OpenNMS Maintainer             Main:   +1 919 533 0160
> The OpenNMS Group, Inc.                     Fax:    +1 503 961 7746
> Email: tarus at opennms.org                    URL: http://www.opennms.org
> PGP Key Fingerprint: 8945 8521 9771 FEC9 5481  512B FECA 11D2 FD82 B45C
>

More information about the TriLUG mailing list