13 Replies Latest reply on Oct 7, 2014 6:05 AM by red

    Unable to reach local host with public IP address

    red New Member

      We have a server behind our 3430 firewall on a local IP :192.168.2.202. We have a public IP address that has been configured into a NAT rule in the 3430 and successfully allows connections to the server from the internet. However internal clients on the same private network (192.168.2.xxx) are unable to access the server on their web browsers using the public IP. The public IP does not have a domain name assigned. The clients on the internal network can access the server using its internal address.

       

      The internal network is connected to the eth0 interface on the 3430 and that interface is assigned to the Private security zone. The WAN connection is on interface eth1 and is assigned to the Public security zone. Security zone Public has a policy performing the NAT from the internet to the server on the internal IP.

       

      I attempted to configure the same policy on the Private security zone, believing it would see the public IP request and perform a translation to the local IP but it does not work. We need to provide the internal clients with the ability to access the internal server using the public IP.

       

      Thanks!

       

      -Marco

        • Re: Unable to reach local host with public IP address
          vmaxdawg05 Past_Featured_Member

          First you need an ACL that allows the selected traffic of your choice to the public IP address.  An example would be tcp 80 for web traffic.

           

          ip access-list ext web.inbound

            remark web traffic to internal computer

             permit tcp any <public IP address> eq 80 log

            ..additional permit/deny statements as needed. 

           

          Then you need to put the NAT statement into the Public policy-class.

           

          ip policy-class Public

            nat destination list web.inbound address 192.168.2.202

            • Re: Unable to reach local host with public IP address
              vmaxdawg05 Past_Featured_Member

              Sorry,  I didn't read that one through all the way.  The ACL and policy-class are correct.  What may work well is to add a host entry into the 3430 or your local DNS server that points to the local 192.168.2.202 address.  That hostname should match that of the public hostname associated with your public IP. 

               

              At my installation I have an Active Directory server providing DNS, so I use the LAN address of the 3430 (most likely 192.168.2.1 for your installation) as the primary Forwarder address in DNS.

               

              Then you just enable DNS services in the NetVanta:

               

              ip domain-lookup

              ip domain-proxy

               

              then a simple host entry that matches the public hostname

               

              host <hostname> 192.168.2.202

               

              When the client attempts a connection to the computer by the public hostname, DNS will return 192.168.2.202 vs. the public IP as the address.

               

              I hope this makes sense.

               

              R\

              1 of 1 people found this helpful
                • Re: Unable to reach local host with public IP address
                  red New Member

                  Thanks for the info vmaxdawg. We are using the 3430 as our DNS server also. I did try earlier with the host name entries. The problem I have is that the servers don't have a registered hostnames. So even when accessing the servers from the internet the users must use the public IP. So I don't have a way to replace site.com with 192.168.2.202 as you suggest. I think it would work but I don't have a way to implement it on the 3430.

                   

                   

                  I am confused as to why the policy I set, which I believe should loop around the requests for the external IP to the internal is not working.

                    • Re: Unable to reach local host with public IP address
                      vmaxdawg05 Past_Featured_Member

                      Ah.  If you need to use the IP vs. hostname, then you may want to consider putting the server on a different interface so you can NAT from both the public and the private.   That way you are always accessing the server by the public IP address.  The interface doesn't need to be in a different policy-class, but it may make sense if you want to better protect the server.

                       

                      levi, one of Adtran TSE's explains what you can do in another post ( NAT reflection? ).  It might be tricky if you are already using both of your ethernet interfaces on your 3430.  You can always apply 802.1q encapsulation on one of the interfaces and create sub-interfaces on one of the ethernet interfaces. Then connect it to a Layer-2 switch.  I've had success with that. 

                       

                      I hope it makes sense.

                       

                      R\

                      1 of 1 people found this helpful
                        • Re: Unable to reach local host with public IP address
                          red New Member

                          We are not using the 3430 in the intended way. We inherited the 3430 with the office. At the time the router was connected to a T1 line but when we moved in the owner switched service providers. The current provider drops an Ethernet line for us and so we configured the 3430 such that it bridges the internet and our network over the Ethernet ports. Our network is on eth0 and the internet on eth1. I am not a network admin  so I struggle with these issues a bit. Maybe our best solution is to switch out the 3430 for an appropriate router in this configuration.  We are happy with adtran so I'll have to check what they might have available in an all Ethernet router.

                            • Re: Unable to reach local host with public IP address
                              Employee

                              @red - It may be helpful to see your current configuration to see if there is a workaround for you. If you post it, please remember to remove any sensitive information.

                               

                              Thanks,

                              Noor

                                • Re: Unable to reach local host with public IP address
                                  red New Member

                                  Ok, here is the configuration. I have masked the external ip addresses for security but left the subnet values so they can be tracked in the file.

                                   

                                  !

                                  !

                                  ! ADTRAN, Inc. OS version 18.02.03.00.E

                                  ! Boot ROM version 13.03.00.SB

                                  ! Platform: NetVanta 3430, part number 1200820E1

                                  ! Serial number LBADTN0829AF814

                                  !

                                  !

                                  hostname "phcs-fw"

                                  enable password encrypted

                                  !

                                  clock timezone -5-Eastern-Time

                                  !

                                  ip subnet-zero

                                  ip classless

                                  ip default-gateway XXX.XXX.XXX.161

                                  ip routing

                                  ipv6 unicast-routing

                                  !

                                  !

                                  ip domain-name "PHCS.OFFICE"

                                  ip domain-proxy

                                  ip name-server 209.18.47.61 209.18.47.62

                                  !

                                  !

                                  no auto-config

                                  !

                                  event-history on

                                  event-history priority notice

                                  logging forwarding on

                                  no logging console

                                  logging forwarding receiver-ip 192.168.2.204

                                  no logging email

                                  logging email priority-level fatal

                                  logging email receiver-ip 192.168.2.204

                                  logging email address-list admin@phcs.office

                                  logging email ip urlfilter top-websites address-list admin@phcs.office

                                  logging email ip urlfilter top-websites send-time 23:59:59

                                  !

                                  service password-encryption

                                  !

                                  username "XXXXX" password encrypted

                                  !

                                  !

                                  ip firewall

                                  ip firewall stealth

                                  no ip firewall alg msn

                                  no ip firewall alg mszone

                                  no ip firewall alg h323

                                  !

                                  !

                                  !

                                  !

                                  aaa on

                                  ftp authentication LoginUseLocalUsers

                                  !

                                  !

                                  aaa authentication login LoginUseRadius group radius

                                  aaa authentication login LoginUseLocalUsers local

                                  aaa authentication login LoginUseLinePass line

                                  !

                                  aaa authentication enable default enable

                                  !

                                  !

                                  !

                                  !

                                  no dot11ap access-point-control

                                  !

                                  !

                                  !

                                  !

                                  ip dhcp-server excluded-address 192.168.0.0

                                  ip dhcp-server excluded-address 192.168.0.255

                                  ip dhcp-server excluded-address 192.168.2.0

                                  ip dhcp-server excluded-address 192.168.2.255

                                  !

                                  ip dhcp-server pool "LISA_I"

                                    domain-name "PHCS"

                                    dns-server 192.168.2.1

                                    default-router 192.168.2.1

                                    host 192.168.2.200 255.255.255.0

                                    hardware-address 00:18:8b:73:73:4f ethernet

                                  !

                                  ip dhcp-server pool "STEWIE_I"

                                    domain-name "PHCS"

                                    dns-server 192.168.2.1

                                    default-router 192.168.2.1

                                    host 192.168.2.202 255.255.255.0

                                    hardware-address b4:99:ba:aa:e2:5a ethernet

                                  !

                                  ip dhcp-server pool "Private"

                                    network 192.168.2.0 255.255.255.0

                                    domain-name "PHCS"

                                    dns-server 192.168.2.1

                                    default-router 192.168.2.1

                                  !

                                  ip dhcp-server pool "LISA_E"

                                    domain-name "PHCS"

                                    dns-server 192.168.2.1

                                    default-router 192.168.2.1

                                    host 192.168.2.201 255.255.255.0

                                    hardware-address 00:18:8b:73:73:4d ethernet

                                  !

                                  ip dhcp-server pool "STEWIE_E"

                                    domain-name "PHCS"

                                    dns-server 192.168.2.1

                                    default-router 192.168.2.1

                                    host 192.168.2.203 255.255.255.0

                                    hardware-address b4:99:ba:aa:e2:5b ethernet

                                  !

                                  ip dhcp-server pool "CopyPrinter"

                                    domain-name "PHCS"

                                    dns-server 192.168.2.1

                                    default-router 192.168.2.1

                                    host 192.168.2.2 255.255.255.0

                                    hardware-address bc:b1:81:d4:96:c3 ethernet

                                  !

                                  ip dhcp-server pool "GuestRouter"

                                    domain-name "GuestNet"

                                    dns-server 192.168.2.1

                                    default-router 192.168.2.1

                                    host 192.168.2.254 255.255.255.0

                                    hardware-address 00:25:9c:e0:d2:b3 ethernet

                                  !

                                  ip dhcp-server pool "FLEXICAPTURE"

                                    domain-name "PHCS"

                                    dns-server 192.168.2.1

                                    default-router 192.168.2.1

                                    host 192.168.2.87 255.255.255.0

                                    hardware-address 70:54:d2:96:64:1b ethernet

                                    ntp-server 192.168.2.1

                                  !

                                  ip dhcp-server pool "Gordo"

                                    dns-server 192.168.2.1

                                    netbios-name-server 192.168.2.1

                                    default-router 192.168.2.1

                                    host 192.168.2.204 255.255.255.0

                                    hardware-address 00:11:32:25:12:33 ethernet

                                    ntp-server 192.168.2.1

                                  !

                                  ip dhcp-server pool "Gordo2"

                                    dns-server 192.168.2.1

                                    netbios-name-server 192.168.2.1

                                    default-router 192.168.2.1

                                    host 192.168.2.205 255.255.255.0

                                    hardware-address 00:11:32:25:12:34 ethernet

                                    ntp-server 192.168.2.1

                                  !

                                  ip urlfilter Web_Http_Filter http

                                  ip urlfilter exclusive-domain deny "cdn-games.bigfishsites.com"

                                  ip urlfilter exclusive-domain deny "kingsisle.hs.llnwd.net"

                                  ip urlfilter exclusive-domain deny "www.bigfishgames.com"

                                  ip urlfilter exclusive-domain deny "www.gamefudge.com"

                                  ip urlfilter exclusive-domain deny "www.kifreegames.com"

                                  ip urlfilter exclusive-domain deny ""*.facebook.*""

                                  ip urlfilter allowmode

                                  ip urlfilter top-website

                                  !

                                  !

                                  ip crypto

                                  !

                                  crypto ike client configuration pool "Mobile Workers"

                                    ip-range 192.168.4.1 192.168.4.254

                                    dns-server 192.168.2.1

                                  !

                                  crypto ike policy 100

                                   

                                  !

                                  crypto ike remote-id

                                  !

                                  crypto ipsec transform-set

                                  !

                                  crypto map VPN

                                  !

                                  !

                                  !

                                  ip flow export destination 192.168.2.200 30000

                                  ip flow cache sample one-out-of 50 random

                                  ip flow cache timeout active 15

                                  ip flow top-talkers

                                    interval 15

                                    top 20

                                  !

                                  !

                                  no ethernet cfm

                                  !

                                  interface eth 0/1

                                    description InternalLink

                                    ip address 192.168.2.1 255.255.255.0

                                    ip access-policy Private

                                    ip flow egress

                                    no awcp

                                    no shutdown

                                  !

                                  !

                                  interface eth 0/2

                                    description ExternalLink

                                    ip address XXX.XXX.XXX.162 255.255.255.248

                                    ip mtu 1500

                                    ip address range XXX.XXX.XXX.163 XXX.XXX.XXX.166 255.255.255.248 secondary

                                    ip access-policy Public

                                    ip urlfilter Web_Http_Filter out

                                    crypto map VPN

                                    ip flow ingress

                                    no awcp

                                    no shutdown

                                  !

                                  !

                                  !

                                  !

                                  interface t1 1/1

                                    description ckt id OC00721554/36HCGS214850GTEN

                                    shutdown

                                  !

                                  !

                                  !

                                  !

                                  !

                                  !

                                  !

                                  !

                                  ip access-list extended self

                                    remark Traffic to NetVanta

                                    permit ip any any log

                                  !

                                  ip access-list extended VPN-10-vpn-selectors7

                                    permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

                                  !

                                  ip access-list extended web-acl-10

                                    remark Block Log Me In

                                    deny ip 69.25.20.0 0.0.0.255 any

                                    deny ip 77.242.192.0 0.0.0.255 any log

                                  !

                                  ip access-list extended web-acl-11

                                    remark Internet ---> Gordo

                                    permit tcp any host XXX.XXX.XXX.165 range 5000 5001 log

                                    permit tcp any host XXX.XXX.XXX.165 eq 5006 log

                                    permit tcp any host XXX.XXX.XXX.165 eq 6690 log

                                  !

                                  ip access-list extended web-acl-13

                                    remark Guest Int ---> Ext

                                    permit ip 192.168.1.0 0.0.0.255 any

                                  !

                                  ip access-list extended web-acl-14

                                    remark Block Guest ---> LAN

                                    permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

                                  !

                                  ip access-list extended web-acl-15

                                    remark Internet ---> TimeTre...

                                    permit tcp any host XXX.XXX.XXX.164 eq 8085 log

                                  !

                                  ip access-list extended web-acl-5

                                    remark EXT ---> LISA

                                    deny tcp any host XXX.XXX.XXX.163 eq www log

                                    permit tcp any host XXX.XXX.XXX.163 eq ssh log

                                    remark Internet ---> LISA_E

                                    permit tcp any host XXX.XXX.XXX.163 eq https log

                                    permit tcp any host XXX.XXX.XXX.163 eq 8443 log

                                    permit tcp any host XXX.XXX.XXX.163 eq 8080 log

                                    permit tcp any host XXX.XXX.XXX.163 eq 8085 log

                                  !

                                  ip access-list extended web-acl-6

                                    remark Internet ---> STEWIE_E

                                    deny tcp any host XXX.XXX.XXX.164 eq www log

                                    permit tcp any host XXX.XXX.XXX.164 eq ssh log

                                    permit tcp any host XXX.XXX.XXX.164 eq https log

                                    permit tcp any host XXX.XXX.XXX.164 eq 8080 log

                                    permit tcp any host XXX.XXX.XXX.164 eq 8443 log

                                    permit tcp any host XXX.XXX.XXX.164 range 5900 5903 log

                                  !

                                  ip access-list extended web-acl-7

                                    remark Int to Ext

                                    permit ip any any

                                  !

                                  ip access-list extended wizard-remote-access

                                    remark Admin Access

                                    permit tcp any any eq https log

                                    permit tcp any any eq ssh log

                                    permit tcp any any eq ftp log

                                    permit icmp any any echo log

                                  !

                                  !

                                  !

                                  !

                                  ip policy-class Private

                                    allow list VPN-10-vpn-selectors7 stateless

                                    nat source list web-acl-7 interface eth 0/2 overload

                                    allow list self self

                                    discard list web-acl-14

                                    nat source list web-acl-13 interface eth 0/1 overload

                                  !

                                  ip policy-class Public

                                    discard list web-acl-10

                                    allow reverse list VPN-10-vpn-selectors7 stateless

                                    nat destination list web-acl-6 address 192.168.2.202

                                    nat destination list web-acl-15 address 192.168.2.202 port 80

                                    nat destination list web-acl-5 address 192.168.2.200

                                    nat destination list web-acl-11 address 192.168.2.204

                                    allow list wizard-remote-access self

                                  !

                                  !

                                  !

                                  ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.161

                                  !

                                  no tftp server

                                  no tftp server overwrite

                                  ip http authentication LoginUseLocalUsers

                                  no ip http server

                                  ip http secure-server

                                  no snmp agent

                                  ip ftp server

                                  ip ftp server default-filesystem flash

                                  no ip scp server

                                  no ip sntp server

                                  !

                                  !

                                  !

                                  !

                                  !

                                  !

                                  !

                                  !

                                  ip sip udp 5060

                                  ip sip tcp 5060

                                  !

                                  !

                                  !

                                  !

                                  !

                                  !

                                  !

                                  !

                                  !

                                  ip sip proxy grammar contact outbound-server-reference host domain

                                  !

                                  !

                                  !

                                  !

                                  !

                                  !

                                  !

                                  !

                                  !

                                  !

                                  line con 0

                                    password encrypted

                                  !

                                  line telnet 0

                                    login authentication LoginUseLinePass

                                    password encrypted

                                    no shutdown

                                  line telnet 1

                                    login authentication LoginUseLinePass

                                    password encrypted

                                    no shutdown

                                  line telnet 2

                                    login authentication LoginUseLinePass

                                    password encrypted

                                    no shutdown

                                  line telnet 3

                                    login authentication LoginUseLinePass

                                    password encrypted

                                    no shutdown

                                  line telnet 4

                                    login authentication LoginUseLinePass

                                    password encrypted

                                    no shutdown

                                  line ssh 0 4

                                    no shutdown

                                  !

                                  sntp server ntp.glorb.com

                                  !

                                  !

                                  !

                                  !

                                  end

                                    • Re: Unable to reach local host with public IP address
                                      Employee

                                      @red - Are you able to put the webserver on a different subnet? For example, say your 3430 LAN port (eth 0/1) plugs into a switch. You can add a secondary subnet to the LAN port and put your webserver in that subnet. Keep in mind, this would require you to update your port forward to reflect the webserver's new internal IP address. Once that is done, you can set up a destination NAT on the Private policy-class to the new internal IP of the webserver. In the example below, the new subnet will be 192.168.3.x. Let's say the webserver now has an internal IP of 192.168.3.202. The configuration would look something like this:

                                       

                                      interface eth 0/1

                                        description InternalLink

                                        ip address 192.168.2.1 255.255.255.0

                                        ip address 192.168.3.1 255.255.255.0 secondary

                                        ip access-policy Private

                                        ip flow egress

                                        no awcp

                                        no shutdown

                                       

                                      ip access-list extended InternalWeb

                                      permit ip any host XXX.XXX.XXX.164 log

                                       

                                      ip policy-class Private

                                        allow list VPN-10-vpn-selectors7 stateless

                                        nat destination list InternalWeb address 192.168.3.202

                                        nat source list web-acl-7 interface eth 0/2 overload

                                        allow list self self

                                        discard list web-acl-14

                                        nat source list web-acl-13 interface eth 0/1 overload

                                       

                                      Let us know if you have any questions.

                                       

                                      Thanks,

                                      Noor

                                      1 of 1 people found this helpful
                        • Re: Unable to reach local host with public IP address
                          levi Employee

                          Red:

                           

                          I went ahead and flagged this post as "Assumed Answered." If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                          Thanks,

                           

                          Levi

                          • Re: Unable to reach local host with public IP address
                            red New Member

                            I finally made it to where I could attend to this issue.... I went with vmaxdawg05's original suggestion of the domain and the hostname entries. It works but I do agree with petersjncv that it feels like a workaround.