07-25-2016 04:03 PM - edited 03-07-2019 12:16 AM
Hi,
I'm new to CISCO and have read up a lot on forums and tutorials with regards to setting up a new CISCO 1941 router.
However, I have two issues that are still unresolved:
1) Hairpinning (allowing our mail server 192.168.1.200 to be accessed while clinets are on the internal network 192.168.1.0 using its domain name pop.company.com). Access to pop.company.com works when clients are NOT on the company's network and MX record with public DNS resolves pop.company.com to IP1.IP1.IP1.IP1.
2) Routing VPN internet traffic through gateway GW1.GW1.GW1.GW1 when clients are connected via VPN to the router. Clients connected via VPN can access LAN services, e.g. printer, file servers, etc, however cannot access the internet via GW1.GW1.GW1.GW1.
Any help would be much appreciated!!
There are the network parameters:
Name server 1: NS1.NS1.NS1.NS1
Name server 2: NS2.NS2.NS2.NS2
Public IP address: IP1.IP1.IP1.IP1
Public IP address subnet: SN1.SN1.SN1.SN1
Public IP address gateway: GW1.GW1.GW1.GW1
Router LAN Address: 192.168.1.1
Mail server LAN Address: 192.168.1.200
Internal LAN: 192.168.1.0/24
VPN LAN: 192.168.2.100 to 192.168.2.200
Below is my config:
aaa authentication login default local
aaa authentication login VPNCompany local
aaa authorization exec default local
aaa authorization network CompanyVPN local
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool CompanyLAN-Pool
network 192.168.1.0 255.255.255.0
dns-server NS1.NS1.NS1.NS1 NS2.NS2.NS2.NS2
default-router 192.168.1.1
!
ip domain name Company.local
ip name-server NS1.NS1.NS1.NS1
ip name-server NS2.NS2.NS2.NS2
ip cef
no ipv6 cef
!
ip ssh version 2
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group CompanyVPN
key Compnay
dns NS1.NS1.NS1.NS1
domain Company.local
pool VPNPool
max-users 10
netmask 255.255.255.0
crypto isakmp profile ISAKMPPROFILE
match identity group CompanyVPN
client authentication list VPNCompany
isakmp authorization list CompanyVPN
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile CompanyVPN
set transform-set TRANSFORMSET
set isakmp-profile ISAKMPPROFILE
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Main Router
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description PrimaryWANDesc_PrimaryWAN
ip address IP1.IP1.IP1.IP1 SN1.SN1.SN1.SN1
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile FabAccVPN
!
ip local pool VPNPool 192.168.2.100 192.168.2.200
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.200 465 interface GigabitEthernet0/1 465
ip nat inside source static tcp 192.168.1.200 995 interface GigabitEthernet0/1 995
ip nat inside source static tcp 192.168.1.200 25 interface GigabitEthernet0/1 25
ip nat inside source static tcp 192.168.1.200 993 interface GigabitEthernet0/1 993
ip route 0.0.0.0 0.0.0.0 GW1.GW1.GW1.GW1
!
access-list 1 permit any
!
control-plane
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input ssh
!
end
08-11-2016 12:20 AM
Hi Michael,
You can use NVI to solve all your issues. See below config:
!
interface GigabitEthernet0/0
description Main Router
ip address 192.168.1.1 255.255.255.0
no ip nat inside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description PrimaryWANDesc_PrimaryWAN
ip address IP1.IP1.IP1.IP1 SN1.SN1.SN1.SN1
no ip nat inside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
no ip nat inside source list 1 interface GigabitEthernet0/1 overload
no ip nat inside source static tcp 192.168.1.200 465 interface GigabitEthernet0/1 465
no ip nat inside source static tcp 192.168.1.200 995 interface GigabitEthernet0/1 995
no ip nat inside source static tcp 192.168.1.200 25 interface GigabitEthernet0/1 25
no ip nat inside source static tcp 192.168.1.200 993 interface GigabitEthernet0/1 993
ip nat source list 1 interface GigabitEthernet0/1 overload
ip nat source static tcp 192.168.1.200 465 interface GigabitEthernet0/1 465
ip nat source static tcp 192.168.1.200 995 interface GigabitEthernet0/1 995
ip nat source static tcp 192.168.1.200 25 interface GigabitEthernet0/1 25
ip nat source static tcp 192.168.1.200 993 interface GigabitEthernet0/1 993
HTH.
Regards,
Terence
08-11-2016 03:31 PM
Hi Terence,
Thank you for the advice.
When I made the above changes, the computers/devices on the LAN could not resolve domain names with the DNS to a website.
On the router, I could ping IP addesses and domain names.
However, on the computers/devices, I could only ping IP addresses. Domain names will not resolve.
Am I missing some other configuration for your changes to work?
FYI, I don't run an internal DNS server, but uses a public DNS (NS1.NS1.NS1.NS1) provided by my service provider.
Best regards,
Michael
On the Router:
Company#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/20 ms
Company#ping bing.com
Translating "bing.com"...domain server (NS1.NS1.NS1.NS1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.79.197.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/26/32 ms
On a computer:
C:\Users\User>ping bing.com
Ping request could not find host bing.com. Please check the name and try again.
C:\Users\User>ping 204.79.197.200
Pinging 204.79.197.200 with 32 bytes of data:
Reply from 204.79.197.200: bytes=32 time=21ms TTL=116
Reply from 204.79.197.200: bytes=32 time=26ms TTL=116
Reply from 204.79.197.200: bytes=32 time=28ms TTL=116
Reply from 204.79.197.200: bytes=32 time=37ms TTL=116
Ping statistics for 204.79.197.200:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 21ms, Maximum = 37ms, Average = 28ms
08-11-2016 09:28 PM
Hi Michael,
Can you ping NS1.NS1.NS1.NS1 & NS2.NS2.NS2.NS2 from LAN.
Regards,
Terence
08-12-2016 03:10 PM
Hi Terence,
I can ping NS1.NS1.NS1.NS1 and NS2.NS2.NS2.NS2 from LAN.
On LAN, any site in IP address format will work, just not when it's in domain name format.
IP address and domain name formats work on the Router ok. I did a Trace IP on the Router using domain name, the name resolved to an IP and it's showing the traffic being directed via service provider provided gateway GW1.GW1.GW1.GW1.
Best regards,
Michael
One the Router:
Company#ping yahoo.com
Translating "yahoo.com"...domain server (NS1.NS1.NS1.NS1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 206.190.36.45, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/132/184 ms
Company#trace ip yahoo.com
Type escape sequence to abort.
Tracing the route to yahoo.com (206.190.36.45)
VRF info: (vrf in name/id, vrf out name/id)
1 rrcs-GW1-GW1-GW1-GW1.nyc.biz.rr.com (GW1.GW1.GW1.GW1) 8 msec 12 msec 4 msec
2 * * *
3 tge-0-7-0-5.nycmnya-rtr2.nyc.rr.com (68.173.207.77) 64 msec 32 msec 28 msec
4 agg112.nyquny9101r.nyc.rr.com (68.173.198.18) 28 msec 20 msec 24 msec
5 bu-ether15.nycmny837aw-bcr00.tbone.rr.com (66.109.6.76) 32 msec 36 msec 28 msec
6 205.197.232.13 28 msec 16 msec 24 msec
7 207.88.14.150.ptr.us.xo.net (207.88.14.150) 112 msec 100 msec 100 msec
8 207.88.12.168.ptr.us.xo.net (207.88.12.168) 96 msec 104 msec 96 msec
9 207.88.12.165.ptr.us.xo.net (207.88.12.165) 112 msec 92 msec 100 msec
10 207.88.12.188.ptr.us.xo.net (207.88.12.188) 112 msec 96 msec 112 msec
11 207.88.12.191.ptr.us.xo.net (207.88.12.191) 132 msec 108 msec 100 msec
12 ae1.rcb1.saltlake2-ut.us.xo.net (207.88.12.145) 108 msec 100 msec 100 msec
13 207.88.12.76.ptr.us.xo.net (207.88.12.76) 108 msec 100 msec 100 msec
14 207.88.13.88.ptr.us.xo.net (207.88.13.88) 100 msec 100 msec 100 msec
15 64.3.225.22.ptr.us.xo.net (64.3.225.22) 112 msec 100 msec 100 msec
16 ae-7.pat1.gqb.yahoo.com (216.115.96.45) 108 msec 104 msec
ae-5.pat1.gqb.yahoo.com (216.115.101.111) 112 msec
17 et-18-1-0.msr1.gq1.yahoo.com (66.196.67.103) 112 msec
et-0-0-0.msr1.gq1.yahoo.com (66.196.67.97) 112 msec 116 msec
18 et-19-1-0.clr2-a-gdc.gq1.yahoo.com (67.195.37.99) 96 msec
et-0-0-0.clr2-a-gdc.gq1.yahoo.com (67.195.37.73) 96 msec
et-19-1-0.clr1-a-gdc.gq1.yahoo.com (67.195.37.95) 120 msec
19 et-18-1.fab3-1-gdc.gq1.yahoo.com (67.195.1.81) 100 msec
et-18-1.fab2-1-gdc.gq1.yahoo.com (67.195.1.77) 112 msec
et-18-1.fab4-1-gdc.gq1.yahoo.com (67.195.1.85) 112 msec
20 po-12.bas1-7-prd.gq1.yahoo.com (206.190.32.19) 104 msec
po-14.bas1-7-prd.gq1.yahoo.com (206.190.32.23) 116 msec
po-9.bas1-7-prd.gq1.yahoo.com (206.190.32.13) 104 msec
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Company#
On the Computer:
C:\Users\User>ping NS1.NS1.NS1.NS1
Pinging NS1.NS1.NS1.NS1 with 32 bytes of data:
Reply from NS1.NS1.NS1.NS1: bytes=32 time=13ms TTL=57
Reply from NS1.NS1.NS1.NS1: bytes=32 time=31ms TTL=57
Reply from NS1.NS1.NS1.NS1: bytes=32 time=23ms TTL=57
Reply from NS1.NS1.NS1.NS1: bytes=32 time=25ms TTL=57
Ping statistics for NS1.NS1.NS1.NS1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 13ms, Maximum = 31ms, Average = 23ms
C:\Users\User>ping yahoo.com
Ping request could not find host yahoo.com. Please check the name and try again.
C:\Users\User>tracert yahoo.com
Unable to resolve target system name yahoo.com.
C:\Users\User>ping 206.190.36.45
Pinging 206.190.36.45 with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=106ms TTL=43
Reply from 206.190.36.45: bytes=32 time=114ms TTL=43
Reply from 206.190.36.45: bytes=32 time=106ms TTL=43
Reply from 206.190.36.45: bytes=32 time=106ms TTL=43
Ping statistics for 206.190.36.45:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 106ms, Maximum = 114ms, Average = 108ms
08-12-2016 07:03 PM
I did a NSLookup on the LAN with both configurations:
IP Nat Inside/Outside (my original)
C:\Users\User>nslookup yahoo.com
Server: nycmny-dns-comm-cac-01.rdc-nyc.rr.com
Address: NS1.NS1.NS1.NS1
Non-authoritative answer:
Name: yahoo.com
Addresses: 2001:4998:44:204::a7
2001:4998:58:c02::a9
2001:4998:c:a06::2:4008
98.138.253.109
98.139.183.24
206.190.36.45
IP Nat Enable (your suggestion)
C:\Users\User>nslookup yahoo.com
Server: nycmny-dns-comm-cac-01.rdc-nyc.rr.com
Address: NS1.NS1.NS1.NS1
DNS request timed out.
timeout was 2 seconds.
Name: yahoo.com
Addresses: 2001:4998:58:c02::a9
2001:4998:c:a06::2:4008
2001:4998:44:204::a7
Without the Nat Inside/Outside, the DNS does not seem to resolve LAN domain name lookup.
thanks again for your time looking into this.
Best regards,
Michael
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide