IP routing using domain

billseymour · ‎04-22-2024

The host for my current server (Windows Hyper-V machine with four or five VMs) that handles my email and web sites is going away. I'm planning on moving that physical server to my house and using DDNS to route that traffic in. Realize this is very low traffic, so the speeds my ISP provides are likely good enough. I'm going to be dealing with several different domains though, and I want them routed to the correct VMs as they come in, without also losing remote access to my home machines. To do this I need to route incoming traffic based on the domain and subdomain. If I had a single server then it would be simple, because the server itself could take a look at the incoming traffic and pass it off to the appropriate process. Since I will have multiple servers I need that routing to happen with the router instead. An example: incoming traffic that is trying to reach www.example.com would be routed to the internal address of 10.10.10.10, incoming traffic to mail.example.com would be routed to 10.10.10.20. I'm going to use a 2911 with IOS 15.7 to do this. I read that 15.7 was perfectly capable, but I need some hints as to how to handle it. Can anyone help me?

balaji.bandi · ‎04-23-2024

As Router it can only do the routing and port-forwarding based on the IP

personally i suggest all the DDNS need to point to same public IP of outside and making different A entries on the DNS.

Example

mail.bb.com - 202..202.202.1 ( 10.10.10.20)

www..bb.com - 202..202.202.1 ( 10.10.10.10)

On the Router when the Traffic coming from WWW (port 80 and 443 port-forward to 10.10.10.10) - same smtp 25 portforward to 10.10.10.20

you can use basic NAT config :

https://www.balajibandi.com/?p=1796

below NAT example should help you : (let me know if you need other configuration also to help)

ip nat inside source static tcp 10.10.10.10 80 202..202.202.1 80
ip nat inside source static tcp 10.10.10.10 443 202..202.202.1 443
ip nat inside source static tcp 10.10.10.20 25 202..202.202.1 25

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

billseymour · ‎04-23-2024

In my case there will be two different machines that accept port 80 and 443, so that solution will not work. I need the Cisco to see which domain is being asked for in order to forward to the correct machine.

balaji.bandi · ‎04-23-2024

best i can think of NGIX reverse proxy.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

billseymour · ‎04-23-2024

So it looks like I can install that in my Windows environment and configure it to forward connections to the appropriate server based on their target domain. But, if I read between the lines, I'd be better off to launch yet another VM running Linux and do the NGINX there. The Windows build doesn't sound like it's terribly stable.

The issue I see next is that the current servers at my house are on a different subnet than the new server I'm bringing in. So NGINX is going to need to route to those differing subnets. I'll have to set up routing between the subnets in the Cisco. What I think, I see happening is an incoming socket request for 443 on myserver.mydomain.com comes in to the Cisco, which routes it to the NGINX machine, which then looks at the myserver.mydomain.com and reroutes to the home server on my local subnet. If instead the request is for 443 on www.example.com the NGINX task routes that to the web server on the old remote subnet.

balaji.bandi · ‎04-23-2024

Draw a small diagram how your network looks like.

Interent---router--NGIX -- other hosted domain

DDNS all pointing to same public IP of outside

your NAT Rule send to only 1 IP that NGIX

you need to put some hands on and testi.

this is cisco community, so you may better of google best config or contact LNGIX forum to help more.

i have tested long back and it works for same IP different domains.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

billseymour · ‎04-23-2024

Let's see if I can get this right...

Internet --- Router -+- mylocaldomain --- Local Server
                     |
                     +- remotedomains -+- Remote web server
                                       |
                                       +- Remote mail server

There is just one public domain pointing at the local server, which is running Windows Server Essentials 2016 and gives a gateway into my local network from remote locations. There are several domains that point to the remote server, some of which are used for both web sites and email, some of which are web sites only. The remote server is running Hyper-V with several VMs to handle it's internal active directory plus the web and mail servers. The local server is using a different active directory environment.

balaji.bandi · ‎04-23-2024

May be the solution you looking in the OP to now looks different for me.

since you have Router that does not have the capabilities for domain lookup. so my suggestion was ngix reverse proxy to fix the issue. assuming all the host are behind Router and inside only.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

billseymour · ‎04-24-2024

Okay, I bought the router under the assumption that it would be able to do the job. I will need to route between two subnets on my local network though, so it's not a total waste. I'll setup a VM to run NGINX and work on it from there. Thanks.

billseymour · ‎04-30-2024

My next step doesn't seem to be working. I now have my internal clients all able to access the internet through one or two NATs. Here's my topology:

Internet --- 2911 -+- mylocaldomain --- MEsh NAT router --- Local Server and clients
                   |
                   +- remotedomains -+- Remote web server
                   |
                   +- Remote mail server

I have the local server, and almost all clients on a 172.20.1.0/24 subnet on one port of the 2911, then NATed behind my mesh router. I have the remote web server and remote mail server on a 172.20.0.0/24 subnet on another port on the 2911. Currently I'm only trying to get my email server functioning (Exchange server). When I try to open a telnet session on port 25 from anywhere it fails. When I try to open a browser session on port 80 or 443 it fails. I first thought that the router itself was getting in the way of the browser sessions, so disabled it's internal web interface (I'd like to eventually get that back up, but only for internal traffic). Here's the current config:

Using 5913 out of 262136 bytes
!
! Last configuration change at 17:10:06 UTC Tue Apr 30 2024 by billsey
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname seymour_router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
ip dhcp excluded-address 172.20.0.1
ip dhcp excluded-address 172.20.1.1
ip dhcp excluded-address 172.20.0.248
ip dhcp excluded-address 172.20.0.1 172.20.0.20
!
ip dhcp pool mail-web-pool
import all
network 172.20.0.0 255.255.255.0
default-router 172.20.0.248
dns-server 71.10.216.1 71.10.216.2
lease 0 2
!
ip dhcp pool local-pool
import all
network 172.20.1.0 255.255.255.0
default-router 172.20.1.1
dns-server 71.10.216.1 71.10.216.2
lease 0 2
!
ip domain name mydomain.com
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-806451679
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-806451679
revocation-check none
rsakeypair TP-self-signed-806451679
!
crypto pki certificate chain TP-self-signed-806451679
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
license udi pid CISCO2911/K9 sn FJC2010A1TJ
!
username billsey privilege 15 secret 5 <password>
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description INTERNET_UPLINK
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description INTRANET_MAIL_WEB
ip address 172.20.0.248 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
load-interval 30
duplex auto
speed auto
!
interface GigabitEthernet0/2
description INTRANET_ACCESS
ip address 172.20.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
load-interval 30
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list LAN_SUBNETS interface GigabitEthernet0/0 overload
ip nat inside source static tcp 172.20.0.5 25 interface GigabitEthernet0/1 25
ip nat inside source static tcp 172.20.0.5 587 interface GigabitEthernet0/1 587
ip nat inside source static tcp 172.20.0.5 110 interface GigabitEthernet0/1 110
ip nat inside source static tcp 172.20.0.5 995 interface GigabitEthernet0/1 995
ip nat inside source static tcp 172.20.0.5 993 interface GigabitEthernet0/1 993
ip nat inside source static tcp 172.20.0.5 143 interface GigabitEthernet0/1 143
ip nat inside source static tcp 172.20.0.5 80 interface GigabitEthernet0/1 80
ip nat inside source static tcp 172.20.0.5 443 interface GigabitEthernet0/1 443
ip nat inside source static udp 172.20.0.5 25 interface GigabitEthernet0/1 25
ip nat inside source static udp 172.20.0.5 80 interface GigabitEthernet0/1 80
ip nat inside source static udp 172.20.0.5 443 interface GigabitEthernet0/1 443
ip nat inside source static udp 172.20.0.5 587 interface GigabitEthernet0/1 587
ip nat inside source static udp 172.20.0.5 110 interface GigabitEthernet0/1 110
ip nat inside source static udp 172.20.0.5 995 interface GigabitEthernet0/1 995
ip nat inside source static udp 172.20.0.5 993 interface GigabitEthernet0/1 993
ip nat inside source static udp 172.20.0.5 143 interface GigabitEthernet0/1 143
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended LAN_SUBNETS
permit ip 172.20.0.0 0.0.0.255 any
permit ip 172.20.1.0 0.0.0.255 any
!
control-plane
!
banner exec ^C
-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Everyone has been helpful so far on this journey, hopefully I won't have to ask too many more questions as I get this system up and working. Once I have traffic passing for the email I need to setup a reverse proxy to add the ability to route web traffic that's not earmarked for the mail server to the appropriate internal servers. But, first things first. My email has been down since Saturday.

Georg Pauwen · ‎04-30-2024

What are the IP addresses of the web and the mail servers ?

billseymour · ‎04-30-2024

The mail server is at 172.20.0.5, the main web server is at 172.20.0.4, the Server Essentials web server is behind the mesh router. Note that until the reverse proxy is up and running I won't be able to get traffic into the web server or the essentials server, since they require the same ports open as the Exchange server does (80 and 443). The reverse proxy will route web traffic as appropriate based on domain name, so mail.mydomain.com will go to 172.20.0.5, www.mydomain.com will go to 172.20.0.4, home.mydomain.com will go through the mesh router, etc..

billseymour · ‎05-01-2024

I accidentally posted this to the wrong thread before, so let me try again... My next step doesn't seem to be working. I now have my internal clients all able to access the internet through one or two NATs. Here's my topology:

Internet --- 2911 -+- mylocaldomain --- MEsh NAT router --- Local Server and clients
                   |
                   +- remotedomains -+- Remote web server
                   |
                   +- Remote mail server

I have the local server, and almost all clients on a 172.20.1.0/24 subnet on one port of the 2911, then NATed behind my mesh router. I have the remote web server and remote mail server on a 172.20.0.0/24 subnet on another port on the 2911. Currently I'm only trying to get my email server functioning (Exchange server). When I try to open a telnet session on port 25 from anywhere it fails. When I try to open a browser session on port 80 or 443 it fails. I first thought that the router itself was getting in the way of the browser sessions, so disabled it's internal web interface (I'd like to eventually get that back up, but only for internal traffic). Here's the current config:

Using 5913 out of 262136 bytes
!
! Last configuration change at 17:10:06 UTC Tue Apr 30 2024 by billsey
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname seymour_router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
ip dhcp excluded-address 172.20.0.1
ip dhcp excluded-address 172.20.1.1
ip dhcp excluded-address 172.20.0.248
ip dhcp excluded-address 172.20.0.1 172.20.0.20
!
ip dhcp pool mail-web-pool
import all
network 172.20.0.0 255.255.255.0
default-router 172.20.0.248
dns-server 71.10.216.1 71.10.216.2
lease 0 2
!
ip dhcp pool local-pool
import all
network 172.20.1.0 255.255.255.0
default-router 172.20.1.1
dns-server 71.10.216.1 71.10.216.2
lease 0 2
!
ip domain name mydomain.com
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-806451679
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-806451679
revocation-check none
rsakeypair TP-self-signed-806451679
!
crypto pki certificate chain TP-self-signed-806451679
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
license udi pid CISCO2911/K9 sn FJC2010A1TJ
!
username billsey privilege 15 secret 5 <password>
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description INTERNET_UPLINK
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description INTRANET_MAIL_WEB
ip address 172.20.0.248 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
load-interval 30
duplex auto
speed auto
!
interface GigabitEthernet0/2
description INTRANET_ACCESS
ip address 172.20.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
load-interval 30
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list LAN_SUBNETS interface GigabitEthernet0/0 overload
ip nat inside source static tcp 172.20.0.5 25 interface GigabitEthernet0/1 25
ip nat inside source static tcp 172.20.0.5 587 interface GigabitEthernet0/1 587
ip nat inside source static tcp 172.20.0.5 110 interface GigabitEthernet0/1 110
ip nat inside source static tcp 172.20.0.5 995 interface GigabitEthernet0/1 995
ip nat inside source static tcp 172.20.0.5 993 interface GigabitEthernet0/1 993
ip nat inside source static tcp 172.20.0.5 143 interface GigabitEthernet0/1 143
ip nat inside source static tcp 172.20.0.5 80 interface GigabitEthernet0/1 80
ip nat inside source static tcp 172.20.0.5 443 interface GigabitEthernet0/1 443
ip nat inside source static udp 172.20.0.5 25 interface GigabitEthernet0/1 25
ip nat inside source static udp 172.20.0.5 80 interface GigabitEthernet0/1 80
ip nat inside source static udp 172.20.0.5 443 interface GigabitEthernet0/1 443
ip nat inside source static udp 172.20.0.5 587 interface GigabitEthernet0/1 587
ip nat inside source static udp 172.20.0.5 110 interface GigabitEthernet0/1 110
ip nat inside source static udp 172.20.0.5 995 interface GigabitEthernet0/1 995
ip nat inside source static udp 172.20.0.5 993 interface GigabitEthernet0/1 993
ip nat inside source static udp 172.20.0.5 143 interface GigabitEthernet0/1 143
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended LAN_SUBNETS
permit ip 172.20.0.0 0.0.0.255 any
permit ip 172.20.1.0 0.0.0.255 any
!
control-plane
!
banner exec ^C
-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Everyone has been helpful so far on this journey, hopefully I won't have to ask too many more questions as I get this system up and working. Once I have traffic passing for the email I need to setup a reverse proxy to add the ability to route web traffic that's not earmarked for the mail server to the appropriate internal servers. But, first things first. My email has been down since Saturday.

billseymour · ‎05-01-2024

Darn it, they added those last two posts to this thread, even though they are asking different questions. Hopefully someone will be monitoring the older threads so I can get an answer.