cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor

Unable to reach local host with public IP address

Jump to solution

We have a server behind our 3430 firewall on a local IP :192.168.2.202. We have a public IP address that has been configured into a NAT rule in the 3430 and successfully allows connections to the server from the internet. However internal clients on the same private network (192.168.2.xxx) are unable to access the server on their web browsers using the public IP. The public IP does not have a domain name assigned. The clients on the internal network can access the server using its internal address.

The internal network is connected to the eth0 interface on the 3430 and that interface is assigned to the Private security zone. The WAN connection is on interface eth1 and is assigned to the Public security zone. Security zone Public has a policy performing the NAT from the internet to the server on the internal IP.

I attempted to configure the same policy on the Private security zone, believing it would see the public IP request and perform a translation to the local IP but it does not work. We need to provide the internal clients with the ability to access the internal server using the public IP.

Thanks!

-Marco

Labels (2)
Tags (2)
0 Kudos
Reply
1 Solution

Accepted Solutions
Highlighted
Contributor III
Contributor III

Re: Unable to reach local host with public IP address

Jump to solution

Sorry,  I didn't read that one through all the way.  The ACL and policy-class are correct.  What may work well is to add a host entry into the 3430 or your local DNS server that points to the local 192.168.2.202 address.  That hostname should match that of the public hostname associated with your public IP. 

At my installation I have an Active Directory server providing DNS, so I use the LAN address of the 3430 (most likely 192.168.2.1 for your installation) as the primary Forwarder address in DNS.

Then you just enable DNS services in the NetVanta:

ip domain-lookup

ip domain-proxy

then a simple host entry that matches the public hostname

host <hostname> 192.168.2.202

When the client attempts a connection to the computer by the public hostname, DNS will return 192.168.2.202 vs. the public IP as the address.

I hope this makes sense.

R\

View solution in original post

13 Replies
Highlighted
Contributor III
Contributor III

Re: Unable to reach local host with public IP address

Jump to solution

First you need an ACL that allows the selected traffic of your choice to the public IP address.  An example would be tcp 80 for web traffic.

ip access-list ext web.inbound

  remark web traffic to internal computer

   permit tcp any <public IP address> eq 80 log

  ..additional permit/deny statements as needed. 

Then you need to put the NAT statement into the Public policy-class.

ip policy-class Public

  nat destination list web.inbound address 192.168.2.202

0 Kudos
Reply
Highlighted
Contributor III
Contributor III

Re: Unable to reach local host with public IP address

Jump to solution

Sorry,  I didn't read that one through all the way.  The ACL and policy-class are correct.  What may work well is to add a host entry into the 3430 or your local DNS server that points to the local 192.168.2.202 address.  That hostname should match that of the public hostname associated with your public IP. 

At my installation I have an Active Directory server providing DNS, so I use the LAN address of the 3430 (most likely 192.168.2.1 for your installation) as the primary Forwarder address in DNS.

Then you just enable DNS services in the NetVanta:

ip domain-lookup

ip domain-proxy

then a simple host entry that matches the public hostname

host <hostname> 192.168.2.202

When the client attempts a connection to the computer by the public hostname, DNS will return 192.168.2.202 vs. the public IP as the address.

I hope this makes sense.

R\

View solution in original post

Highlighted
New Contributor

Re: Unable to reach local host with public IP address

Jump to solution

Thanks for the info vmaxdawg. We are using the 3430 as our DNS server also. I did try earlier with the host name entries. The problem I have is that the servers don't have a registered hostnames. So even when accessing the servers from the internet the users must use the public IP. So I don't have a way to replace site.com with 192.168.2.202 as you suggest. I think it would work but I don't have a way to implement it on the 3430.

I am confused as to why the policy I set, which I believe should loop around the requests for the external IP to the internal is not working.

0 Kudos
Reply
Highlighted
Contributor III
Contributor III

Re: Unable to reach local host with public IP address

Jump to solution

Ah.  If you need to use the IP vs. hostname, then you may want to consider putting the server on a different interface so you can NAT from both the public and the private.   That way you are always accessing the server by the public IP address.  The interface doesn't need to be in a different policy-class, but it may make sense if you want to better protect the server.

levi, one of Adtran TSE's explains what you can do in another post ( NAT reflection? ).  It might be tricky if you are already using both of your ethernet interfaces on your 3430.  You can always apply 802.1q encapsulation on one of the interfaces and create sub-interfaces on one of the ethernet interfaces. Then connect it to a Layer-2 switch.  I've had success with that. 

I hope it makes sense.

R\

Highlighted
New Contributor

Re: Unable to reach local host with public IP address

Jump to solution

We are not using the 3430 in the intended way. We inherited the 3430 with the office. At the time the router was connected to a T1 line but when we moved in the owner switched service providers. The current provider drops an Ethernet line for us and so we configured the 3430 such that it bridges the internet and our network over the Ethernet ports. Our network is on eth0 and the internet on eth1. I am not a network admin  so I struggle with these issues a bit. Maybe our best solution is to switch out the 3430 for an appropriate router in this configuration.  We are happy with adtran so I'll have to check what they might have available in an all Ethernet router.

0 Kudos
Reply
Highlighted
Anonymous
Not applicable

Re: Unable to reach local host with public IP address

Jump to solution

@red - It may be helpful to see your current configuration to see if there is a workaround for you. If you post it, please remember to remove any sensitive information.

Thanks,

Noor

0 Kudos
Reply
Highlighted
New Contributor

Re: Unable to reach local host with public IP address

Jump to solution

Ok, here is the configuration. I have masked the external ip addresses for security but left the subnet values so they can be tracked in the file.

!

!

! ADTRAN, Inc. OS version 18.02.03.00.E

! Boot ROM version 13.03.00.SB

! Platform: NetVanta 3430, part number 1200820E1

! Serial number LBADTN0829AF814

!

!

hostname "phcs-fw"

enable password encrypted

!

clock timezone -5-Eastern-Time

!

ip subnet-zero

ip classless

ip default-gateway XXX.XXX.XXX.161

ip routing

ipv6 unicast-routing

!

!

ip domain-name "PHCS.OFFICE"

ip domain-proxy

ip name-server 209.18.47.61 209.18.47.62

!

!

no auto-config

!

event-history on

event-history priority notice

logging forwarding on

no logging console

logging forwarding receiver-ip 192.168.2.204

no logging email

logging email priority-level fatal

logging email receiver-ip 192.168.2.204

logging email address-list admin@phcs.office

logging email ip urlfilter top-websites address-list admin@phcs.office

logging email ip urlfilter top-websites send-time 23:59:59

!

service password-encryption

!

username "XXXXX" password encrypted

!

!

ip firewall

ip firewall stealth

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

!

!

!

aaa on

ftp authentication LoginUseLocalUsers

!

!

aaa authentication login LoginUseRadius group radius

aaa authentication login LoginUseLocalUsers local

aaa authentication login LoginUseLinePass line

!

aaa authentication enable default enable

!

!

!

!

no dot11ap access-point-control

!

!

!

!

ip dhcp-server excluded-address 192.168.0.0

ip dhcp-server excluded-address 192.168.0.255

ip dhcp-server excluded-address 192.168.2.0

ip dhcp-server excluded-address 192.168.2.255

!

ip dhcp-server pool "LISA_I"

  domain-name "PHCS"

  dns-server 192.168.2.1

  default-router 192.168.2.1

  host 192.168.2.200 255.255.255.0

  hardware-address 00:18:8b:73:73:4f ethernet

!

ip dhcp-server pool "STEWIE_I"

  domain-name "PHCS"

  dns-server 192.168.2.1

  default-router 192.168.2.1

  host 192.168.2.202 255.255.255.0

  hardware-address b4:99:ba:aa:e2:5a ethernet

!

ip dhcp-server pool "Private"

  network 192.168.2.0 255.255.255.0

  domain-name "PHCS"

  dns-server 192.168.2.1

  default-router 192.168.2.1

!

ip dhcp-server pool "LISA_E"

  domain-name "PHCS"

  dns-server 192.168.2.1

  default-router 192.168.2.1

  host 192.168.2.201 255.255.255.0

  hardware-address 00:18:8b:73:73:4d ethernet

!

ip dhcp-server pool "STEWIE_E"

  domain-name "PHCS"

  dns-server 192.168.2.1

  default-router 192.168.2.1

  host 192.168.2.203 255.255.255.0

  hardware-address b4:99:ba:aa:e2:5b ethernet

!

ip dhcp-server pool "CopyPrinter"

  domain-name "PHCS"

  dns-server 192.168.2.1

  default-router 192.168.2.1

  host 192.168.2.2 255.255.255.0

  hardware-address bc:b1:81:d4:96:c3 ethernet

!

ip dhcp-server pool "GuestRouter"

  domain-name "GuestNet"

  dns-server 192.168.2.1

  default-router 192.168.2.1

  host 192.168.2.254 255.255.255.0

  hardware-address 00:25:9c:e0:d2:b3 ethernet

!

ip dhcp-server pool "FLEXICAPTURE"

  domain-name "PHCS"

  dns-server 192.168.2.1

  default-router 192.168.2.1

  host 192.168.2.87 255.255.255.0

  hardware-address 70:54:d2:96:64:1b ethernet

  ntp-server 192.168.2.1

!

ip dhcp-server pool "Gordo"

  dns-server 192.168.2.1

  netbios-name-server 192.168.2.1

  default-router 192.168.2.1

  host 192.168.2.204 255.255.255.0

  hardware-address 00:11:32:25:12:33 ethernet

  ntp-server 192.168.2.1

!

ip dhcp-server pool "Gordo2"

  dns-server 192.168.2.1

  netbios-name-server 192.168.2.1

  default-router 192.168.2.1

  host 192.168.2.205 255.255.255.0

  hardware-address 00:11:32:25:12:34 ethernet

  ntp-server 192.168.2.1

!

ip urlfilter Web_Http_Filter http

ip urlfilter exclusive-domain deny "cdn-games.bigfishsites.com"

ip urlfilter exclusive-domain deny "kingsisle.hs.llnwd.net"

ip urlfilter exclusive-domain deny "www.bigfishgames.com"

ip urlfilter exclusive-domain deny "www.gamefudge.com"

ip urlfilter exclusive-domain deny "www.kifreegames.com"

ip urlfilter exclusive-domain deny ""*.facebook.*""

ip urlfilter allowmode

ip urlfilter top-website

!

!

ip crypto

!

crypto ike client configuration pool "Mobile Workers"

  ip-range 192.168.4.1 192.168.4.254

  dns-server 192.168.2.1

!

crypto ike policy 100

!

crypto ike remote-id

!

crypto ipsec transform-set

!

crypto map VPN

!

!

!

ip flow export destination 192.168.2.200 30000

ip flow cache sample one-out-of 50 random

ip flow cache timeout active 15

ip flow top-talkers

  interval 15

  top 20

!

!

no ethernet cfm

!

interface eth 0/1

  description InternalLink

  ip address 192.168.2.1 255.255.255.0

  ip access-policy Private

  ip flow egress

  no awcp

  no shutdown

!

!

interface eth 0/2

  description ExternalLink

  ip address XXX.XXX.XXX.162 255.255.255.248

  ip mtu 1500

  ip address range XXX.XXX.XXX.163 XXX.XXX.XXX.166 255.255.255.248 secondary

  ip access-policy Public

  ip urlfilter Web_Http_Filter out

  crypto map VPN

  ip flow ingress

  no awcp

  no shutdown

!

!

!

!

interface t1 1/1

  description ckt id OC00721554/36HCGS214850GTEN

  shutdown

!

!

!

!

!

!

!

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any any log

!

ip access-list extended VPN-10-vpn-selectors7

  permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

!

ip access-list extended web-acl-10

  remark Block Log Me In

  deny ip 69.25.20.0 0.0.0.255 any

  deny ip 77.242.192.0 0.0.0.255 any log

!

ip access-list extended web-acl-11

  remark Internet ---> Gordo

  permit tcp any host XXX.XXX.XXX.165 range 5000 5001 log

  permit tcp any host XXX.XXX.XXX.165 eq 5006 log

  permit tcp any host XXX.XXX.XXX.165 eq 6690 log

!

ip access-list extended web-acl-13

  remark Guest Int ---> Ext

  permit ip 192.168.1.0 0.0.0.255 any

!

ip access-list extended web-acl-14

  remark Block Guest ---> LAN

  permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!

ip access-list extended web-acl-15

  remark Internet ---> TimeTre...

  permit tcp any host XXX.XXX.XXX.164 eq 8085 log

!

ip access-list extended web-acl-5

  remark EXT ---> LISA

  deny tcp any host XXX.XXX.XXX.163 eq www log

  permit tcp any host XXX.XXX.XXX.163 eq ssh log

  remark Internet ---> LISA_E

  permit tcp any host XXX.XXX.XXX.163 eq https log

  permit tcp any host XXX.XXX.XXX.163 eq 8443 log

  permit tcp any host XXX.XXX.XXX.163 eq 8080 log

  permit tcp any host XXX.XXX.XXX.163 eq 8085 log

!

ip access-list extended web-acl-6

  remark Internet ---> STEWIE_E

  deny tcp any host XXX.XXX.XXX.164 eq www log

  permit tcp any host XXX.XXX.XXX.164 eq ssh log

  permit tcp any host XXX.XXX.XXX.164 eq https log

  permit tcp any host XXX.XXX.XXX.164 eq 8080 log

  permit tcp any host XXX.XXX.XXX.164 eq 8443 log

  permit tcp any host XXX.XXX.XXX.164 range 5900 5903 log

!

ip access-list extended web-acl-7

  remark Int to Ext

  permit ip any any

!

ip access-list extended wizard-remote-access

  remark Admin Access

  permit tcp any any eq https log

  permit tcp any any eq ssh log

  permit tcp any any eq ftp log

  permit icmp any any echo log

!

!

!

!

ip policy-class Private

  allow list VPN-10-vpn-selectors7 stateless

  nat source list web-acl-7 interface eth 0/2 overload

  allow list self self

  discard list web-acl-14

  nat source list web-acl-13 interface eth 0/1 overload

!

ip policy-class Public

  discard list web-acl-10

  allow reverse list VPN-10-vpn-selectors7 stateless

  nat destination list web-acl-6 address 192.168.2.202

  nat destination list web-acl-15 address 192.168.2.202 port 80

  nat destination list web-acl-5 address 192.168.2.200

  nat destination list web-acl-11 address 192.168.2.204

  allow list wizard-remote-access self

!

!

!

ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.161

!

no tftp server

no tftp server overwrite

ip http authentication LoginUseLocalUsers

no ip http server

ip http secure-server

no snmp agent

ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

!

!

!

!

!

!

!

ip sip udp 5060

ip sip tcp 5060

!

!

!

!

!

!

!

!

!

ip sip proxy grammar contact outbound-server-reference host domain

!

!

!

!

!

!

!

!

!

!

line con 0

  password encrypted

!

line telnet 0

  login authentication LoginUseLinePass

  password encrypted

  no shutdown

line telnet 1

  login authentication LoginUseLinePass

  password encrypted

  no shutdown

line telnet 2

  login authentication LoginUseLinePass

  password encrypted

  no shutdown

line telnet 3

  login authentication LoginUseLinePass

  password encrypted

  no shutdown

line telnet 4

  login authentication LoginUseLinePass

  password encrypted

  no shutdown

line ssh 0 4

  no shutdown

!

sntp server ntp.glorb.com

!

!

!

!

end

0 Kudos
Reply
Anonymous
Not applicable

Re: Unable to reach local host with public IP address

Jump to solution

@red - Are you able to put the webserver on a different subnet? For example, say your 3430 LAN port (eth 0/1) plugs into a switch. You can add a secondary subnet to the LAN port and put your webserver in that subnet. Keep in mind, this would require you to update your port forward to reflect the webserver's new internal IP address. Once that is done, you can set up a destination NAT on the Private policy-class to the new internal IP of the webserver. In the example below, the new subnet will be 192.168.3.x. Let's say the webserver now has an internal IP of 192.168.3.202. The configuration would look something like this:

interface eth 0/1

  description InternalLink

  ip address 192.168.2.1 255.255.255.0

  ip address 192.168.3.1 255.255.255.0 secondary

  ip access-policy Private

  ip flow egress

  no awcp

  no shutdown

ip access-list extended InternalWeb

permit ip any host XXX.XXX.XXX.164 log

ip policy-class Private

  allow list VPN-10-vpn-selectors7 stateless

  nat destination list InternalWeb address 192.168.3.202

  nat source list web-acl-7 interface eth 0/2 overload

  allow list self self

  discard list web-acl-14

  nat source list web-acl-13 interface eth 0/1 overload

Let us know if you have any questions.

Thanks,

Noor

Highlighted
New Contributor

Re: Unable to reach local host with public IP address

Jump to solution

OK, I think I see where you are going with this. I will try this next time I am on site and will report back to the thread.

Thanks!

0 Kudos
Reply