NAT ON A STICK – UNABLE TO ACCESS AN INSIDE SERVER USING A PUBLIC IP FROM AN INSIDE HOST

Why can’t we access an inside server using a public ip from an inside host :

Sample configuration on NAT ROUTER:

interface FastEthernet0/1

description “internal interface”

ip address 192.168.1.1 255.255.255.0

ip nat inside

interface FastEthernet0/0

description “outside interface”

ip address 202.2.2.1 255.255.255.252

ip nat outside

ip nat pool public 202.2.2.129 202.2.2.254 prefix-length 25

ip nat inside source list 101 pool public overload

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

ip route 0.0.0.0 0.0.0.0 202.2.2.2

1. Host 1 browses to the internal Web Server using its URL (www.nattest.com).
2. Host1 browser sends a DNS request to the internal DNS server to resolve www.nattest.com to its IP address.
3. The internal DNS server replies with the global IP address of 202.2.2.222
4. Host1 browser now attempts to make a connection with 202.2.2.222 and sends
   the traffic to its default gateway, fa0/1.
5. Routing takes place, and the router sends this traffic out the outside(fa0/0) interface.  As this occurs, the source IP address is translated since it has traversed both a NAT inside and outside interface.

IP: TABLEID=0, S=192.168.1.8 (FASTETHERNET0/1), D=202.2.2.222 (FASTETHERNET0/0), ROUTED VIA RIB

*FEB 27 17:18:05.439: NAT: S=192.168.1.8->202.2.2.129, D=202.2.2.222 [13]

IP: S=202.2.2.129 (FASTETHERNET0/1), D=202.2.2.222 (FASTETHERNET0/0), LEN 100, SENDING FULL PACKET

6. The ISP notes the destination address (202.2.2.222) is routed back ou the same interface it came in on, and the traffic comes back to the outside fa0/1 interface on the NAT router.

IP: s=202.2.2.129 (GigabitEthernet0/1), d=202.2.2.222 (GigabitEthernet0/1), g=202.2.2.1, len 100, forward

IP: s=202.2.2.129 (GigabitEthernet0/1), d=202.2.2.222 (GigabitEthernet0/1), len 100, sending full packet

7. Since there is no nat entry matching that traffic on NAT-Router and it will again forward the traffic out to outisde interface and a loop has occured.

NAT-ROUTER#sh ip nat tra

Pro     Inside global      Inside local       Outside local      Outside global

icmp 202.2.2.129:6      192.168.1.8:6    202.2.2.222:6    202.2.2.222:6

Mar  2 04:36:03.603: IP: s=202.2.2.129 (FastEthernet0/0), d=202.2.2.222 (FastEthernet0/0), g=202.2.2.2, len 100, forward

8. The packet will be dropped after TTL expires

Solution 1: Only one static nat entry is required however traffic will go out to ISP twice before it reaches back to client and should not be advisable to configure in customer networks.

We can fix this issue if only we add a static nat entry.Let us see the traffic flow:

NAT-Router:
ip nat inside source static 192.168.1.13 202.2.2.222

Host1 browser now attempts to make a connection with 202.2.2.222 and sends the traffic to its default gateway, fa0/1.

IP: s=192.168.1.8 (local), d=202.2.2.222 (FastEthernet0/1), len 100, sending full packet

Routing takes place, and the router sends this traffic out the fa0/0 interface.As this occurs, the source IP address is translated since it has traversed both a NAT inside and outside interface

IP: tableid=0, s=192.168.1.8 (FastEthernet0/1), d=202.2.2.222 (FastEthernet0/0), routed via RIB

*Feb 27 17:18:05.439: NAT: s=192.168.1.8->202.2.2.129, d=202.2.2.222 [13]

IP: s=202.2.2.129 (FastEthernet0/1), d=202.2.2.222 (FastEthernet0/0), len 100, sending full packet

The ISP notes the destination address (202.2.2.222) is routed back out the same interface it came in on, and the traffic comes back to the gig0/1 interface.

IP: tableid=0, s=202.2.2.129 (GigabitEthernet0/1), d=202.2.2.222 (GigabitEthernet0/1), routed via RIB

IP: s=202.2.2.129 (GigabitEthernet0/1), d=202.2.2.222 (GigabitEthernet0/1), g=202.2.2.1, len 100, forward

IP: s=202.2.2.129 (GigabitEthernet0/1), d=202.2.2.222 (GigabitEthernet0/1), len 100, sending full packet

when NAT-Router receives that packet back on outside interface, it translates the packet as per the static nat entry and forwards the packet to the server.

*Feb 27 17:18:05.439: NAT: s=202.2.2.129, d=202.2.2.222->192.168.1.13 [13]

IP: s=202.2.2.129 (FastEthernet0/0), d=192.168.1.13 (FastEthernet0/1),g=192.168.1.13, len 100, forward

IP: s=202.2.2.129 (FastEthernet0/0), d=192.168.1.13 (FastEthernet0/1), len 100, sending full packet

Server receives the packet and replies back
IP: s=202.2.2.129 (FastEthernet0/1), d=192.168.1.13, len 100, rcvd 2

IP: s=192.168.1.13 (local), d=202.2.2.129 (FastEthernet0/1), len 100,sending full packet

NAT-Router receices it again on its inside interface routing takes place and since it has again traversed both inside outised nat occurs again.

IP: tableid=0, s=192.168.1.13 (FastEthernet0/1), d=202.2.2.129 (FastEthernet0/0), routed via RIB

*Feb 27 17:18:05.443: NAT: s=192.168.1.13->202.2.2.222, d=202.2.2.129 [13]

IP: s=202.2.2.222 (FastEthernet0/1), d=202.2.2.129 (FastEthernet0/0),g=202.2.2.2, len 100, forward

IP: s=202.2.2.222 (FastEthernet0/1), d=202.2.2.129 (FastEthernet0/0), len 100, sending full packet
ISP receives the traffic and send it back to the nat router.
IP: tableid=0, s=202.2.2.222 (GigabitEthernet0/1), d=202.2.2.129 (GigabitEthernet0/1), routed via RIB
IP: s=202.2.2.222 (GigabitEthernet0/1), d=202.2.2.129 (GigabitEthernet0/1),g=202.2.2.1, len 100, forward
IP: s=202.2.2.222 (GigabitEthernet0/1), d=202.2.2.129 (GigabitEthernet0/1),len 100, sending full packet

When Nat-Router receives the packet again that matches the nat entry and
translates accordingly & send it to HOST1.

NAT-ROUTER# sh ip nat translations

Pro      Inside global            Inside local             Outside local      Outside global
icmp  202.2.2.129:6      192.168.1.8:6      202.2.2.222:6 202.2.2.222:6
icmp    202.2.2.129:6          192.168.1.8:6          202.2.2.222:6     202.2.2.222:6
udp      202.2.2.129:61300 192.168.1.8:61300 202.2.2.2:53       202.2.2.2:53
icmp    202.2.2.222:6          192.168.1.13:6        202.2.2.129:6     202.2.2.129:6
—        202.2.2.222              192.168.1.13            —                         —

*Feb 27 17:18:05.447: NAT: s=202.2.2.222, d=202.2.2.129->192.168.1.8 [13]
IP: s=202.2.2.222 (FastEthernet0/0), d=192.168.1.8 (FastEthernet0/1),g=192.168.1.8, len 100, forward
IP: s=202.2.2.222 (FastEthernet0/0), d=192.168.1.8 (FastEthernet0/1), len 100, sending full packet

Host1 receives the packet as expected and gladly accepts it.
IP: s=202.2.2.222 (FastEthernet0/1), d=192.168.1.8, len 100, rcvd 2

BGL.S.08-3500-8#ping 202.2.2.222 rep 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 202.2.2.222, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 17/17/17 ms

ABOUT THE AUTHOR

Rashmi Bhardwaj

I am here to share my knowledge and experience in the field of networking with the goal being – “The more you share, the more you learn.”

I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband.

I am a strong believer of the fact that “learning is a constant process of discovering yourself.”
– Rashmi Bhardwaj (Author/Editor)