Intranet Users Cannot Access the Intranet Server Using the Public IP Address After NAT Server Is Configured on the AR G3 Router

Publication Date:  2015-06-09 Views:  1169 Downloads:  0
Issue Description
As shown in the following figure, an enterprise uses an AR G3 router as an egress router. Outbound NAT has been configured on the router to allow intranet users to access Internet services. In addition, the NAT server has been configured on the router to translate "private IP address+port number" of the web server into "public IP address+port number", so that the web server can provide services for Internet users. The carrier has assigned only one public IP address to this enterprise. This address is used as both the IP address of the outbound interface on the AR G3 router and the mapped public IP address after outbound NAT and NAT server are enabled. 



The NAT configuration is as follows:
#
interface GigabitEthernet3/0/0
ip address 202.12.111.1 255.255.252.0
nat server protocol tcp global current-interface www inside 192.168.1.100 www
nat outbound 2000
#
acl number 2000
rule 10 permit source 192.168.0.0 0.0.0.255
#

Currently, intranet users cannot access the intranet web server using the server's public IP address.
Handling Process
Solution 1:

If the web server can be accessed using its domain name (www.abc.com) and the DNS server is deployed on the intranet, enter the AAAA record "www.abc.com 192.168.1.100" on the DNS server.

When an intranet user accesses the intranet web server using the server's domain name, the user's terminal requests the IP address mapping the domain name from the DNS server. When receiving the request, the DNS server translates the web server's domain name to the requested private IP address.

Solution 2:

If the web server can be accessed using the domain name (www.abc.com) but no DNS server is deployed on the intranet, configure NAT ALG and DNS mapping on the AR G3 router.

The configuration is as follows:

nat alg dns enable
nat dns-map www.abc.com 202.12.111.1 80 tcp

When an intranet user accesses the intranet web server using the domain name, the user's terminal requests the IP address mapping the domain name from the Internet DNS server. The Internet DNS server records the public IP address that maps the server's domain name. When the AR G3 router receives the DNS response packet, the router searches the DNS mapping table for the public IP address that matches the domain name. The router then finds the web server by the public IP address and replaces the public IP address in the DNS response packet with the private IP address of the web server. By using the private IP address in the response packet from the AR G3 router, the intranet user can access the web server.

Solution 3:

If a large number of intranet users access the web server using server's domain name, the CPU usage of the AR G3 router will become high. This is because the NAT ALG function is implemented on the control plane. After NAT ALG is enabled, all DNS packets will be sent to the ALG module for processing. Too many DNS packets will cause high CPU usage.

Therefore, configuring NAT ALG and DNS mapping is not recommended. In this case, you are advised to configure outbound NAT and NAT server.

The configuration is as follows:

#
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 202.12.111.1 0
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
nat outbound 3000//If an intranet host accesses the web server at 202.12.111.1 directly, configure Easy IP to change the source IP address in the request packet from the host to the IP address of GE1/0/0, so all the packets exchanged between the intranet web server and intranet host are forwarded by the router.
nat server protocol tcp global 202.12.111.1 www inside 192.168.1.100 www  //If an intranet host accesses the web server at 202.12.111.1 directly, change the destination IP address to the intranet IP address.

Solution 4:

If the web server does not have a domain name and can only be accessed by its IP address, configure a routing policy to redirect traffic generated when an intranet PC accesses the public IP address of the web server to the carrier's device directly connected to the AR G3 router. After changing the source IP address to the public IP address, the carrier's device sends the traffic back to the AR. When the traffic arrives at the AR, NAT server is enabled to change the destination IP address to the private IP address of the web server. When the response packet from the web server arrives at the AR, the AR changes the source IP address of the traffic to the public IP address of the web server based on the NAT server entry. After carrier's device sends the traffic back to the AR, the AR changes the destination IP address of the traffic to the private IP address based on the NAT server entry, and then sends the traffic to the intranet PC. The following figure shows the IP address changes of the traffic.



The configuration is as follows (assume that the IP address of the carrier's device directly connected to the AR is 202.12.111.2):

acl number 3000
rule 5 permit ip source 192.168.0.0 0.0.0.255 destination 202.12.111.1 0
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 202.12.111.1 0
#
traffic classifier redirect operator or
if-match acl 3000
#
traffic behavior redirect
redirect ip-nexthop 202.12.111.2
#
traffic policy redirect
classifier redirect behavior redirect
#
interface GigabitEthernet1/0/0
traffic-policy redirect inbound
#
interface GigabitEthernet2/0/0
traffic-policy redirect inbound
Root Cause
NAT server is configured on GE3/0/0 connected to the Internet to convert the destination IP addresses of data packets received only from this interface. Traffic generated when an intranet user accesses the intranet web server is forwarded by the interface connected to the intranet, so the destination IP address of the traffic is not changed.
Suggestions
If the web server has a domain name, preferentially use solution 1 or 3. If the web server does not have a domain name, use solution 3 or 4.

END