[panikos@natech.gr]

Hello everybody,

I have a problem setting up a CISCO 2811 router. The configuration of the router is as follows:

1) Inside Interface 0/0 with IP 192.168.1.0
2) Inside Interface 0/1 with IP 192.168.3.0
3) Outside interface with IP 213.5.xxx.xxx

Firewall
On the Inside Interface 0/1 (192.168.3.0) a DMZ is configured and there is only one server (web and e-mail) attached whose IP address is 192.168.3.3

On the other interface (192.168.1.0) the companies LAN is attached.

NAT
NAT translates
1) all the internal IPs to 213.5.xxx.xxx and
2) the web/mail server 192.168.3.3 to an additional public IP 212.89.xxx.xxx


The problem is that when I'm trying to hit the public IP 212.89.xxx.xxx from a computer, member of company's LAN (192.168.1.xxx) I can not, although I can hit any other public IPs on the Internet. That means that from inside the company's LAN I can't visit company's web page or receive e-mails when I use the public IP of the server (as POP3/SMTP/HTTP). Because a lot of the employees are using laptops, they need to access their e-mail accounts either they are inside or outside the company's LAN. So they need to use of the public IP of the server without being needed to change it to the internal IP when they are attached on company's LAN.

Thank you in advance. I would appreciate any help on this problem.

Nikos

[daviddavis]

Can they not talk to the DMZ server using the public IP address? Can they communicate with it using the private 192.168.1.0, network address?

Assuming they can communicate with the email/web server in the DMZ using the private IP but not the public, here is how I solved this type of issue on my network-
- create a DNS entry for the email/web server on the DMZ on your internal DNS server with the same name as the external DNS entry for that server. That way, when the laptops are on the internal LAN, they do a DNS lookup with the internal DNS server and it resolves to the private IP. When they are on the Internet and do a DNS lookup, it resolves to the public IP.

Does that help out?

Thanks,

[royst]

Hi Nikos

You can not access your public IP that is NATed from the outside to an inside address using the public IP. If you are running Active Directory and have a DNS server you can setup DNS pointer to the internal IP of your web and e-mail server.

Hope this helps

[ssckrp]

Hi

When you ping the public IP of web/mail server the PIX will forward the traffic to router as it wont know about the traffic is destinated for its own NATted IP of web/mail server.

Inorder to have PIX to understand that this traffic is for its own NATed IP you need to configure the following in PIX


alias(inside) 212.89.xxx.xxx 192.168.3.3 255.255.255.255


You can verify this from the following URL

http://www.cisco.com/warp/public/110/alias.html

Pls do let me know the feed back as its interesting to know about the status.

With Best Regards

Prabu

[bdesmond-mvp]

You need to be running a seperate DNS infrastructure internally. Setup the zone on there and substitute internal IPs for external and you'll be good to go. This is sometimes referred to as a "split brain" DNS design.

Also, you reference your outside interface being 213.5.x.x and the NATed Ips being 212.89.x.x. I'm assuming your upstream is statically routing that 212.89 block down to you or you're speaking BGP to them?