I’ve been pulling my hair out on this, and I’m just about to throw in the towel. Before I did so, I figured I would see if anyone out there might know definitively if that’s a good idea or not.
I’m working with a Cisco 2620. This router has address translation enabled on it, so that services on the internal network can be offered to the external network (the Internet). This is done through statements like this one:
ip nat inside source static 1.1.1.1 2.2.2.2
Where 1.1.1.1 is the internal address and 2.2.2.2 is the external address. This works fine, so long as someone from inside the network does not try to do something involving the address on the outside of the network while they are connected to the internal network. Lost yet?
If I have a laptop, with address 1.1.1.2, and that laptop is generally on the road and accessing the mail server at 2.2.2.2 from outside of the network, there are no problems. Everything works and everyone is happy. But if this user comes into the office, and plugs their laptop into the network, it breaks. No longer can they access mail by using the 2.2.2.2 interface. True, they can change the address to 1.1.1.1, but that takes a bit of training and means they can’t just use DNS to make things work (which would be really nice).
If this was always the case, I would probably have dropped it long ago. But it’s not. When this user at 1.1.1.2 pings the external address of 2.2.2.2, the internal device at 1.1.1.1 responds to them. So ICMP traffic works fine. I suspect this is because ICMP doesn’t really care about source addresses and whatnot, and just sends something back and everyone thinks that everything worked fine.
But if I try and send (TCP 25) or retrieve (TCP 110) mail, and specifically when I try and do so through telnet so I can see what’s happening, it doesn’t work. I do receive an RST ACK in return, which is interesting, as it means the translation is working at least somewhat, but apparently not all the way. If I try to connect to 2.2.2.3, a non-existent device, I don’t get a response at all.
So I’m left seeing some traffic (ICMP) work fine and some traffic (SMTP, POP3) work slightly more than not at all. I’ve checked the access lists ad nauseum, and even removed any filtering from the connections entirely. Inbound and outbound SMTP and POP3 traffic works fine, so long as both the sending and receiving device are not on the same internal subnet. I believe that the problem is because the traffic is flowing entirely through the inside interface – it never needs to (and doesn’t) go through the outside interface, so the translation isn’t working quite as I’d like.
Anyone have any ideas?
Update: I don’t care if it’s done in the 2620 or not. If you can think of a way where I can reliably make the address “translate” automatically when connected to the internal network, I’m all ears.
Comments
9 responses to “Address Translation Frustration”
It’s ok. Thank you for your quick response.
Hi Kevin – Unfortunately, I did not. Eventually, the problem just went away (actually, I went away, so didn’t have to deal with it any longer). I wish that I had better news, but I was not ever able to get it to work in this particular setup. Sorry!
Chad, I was wondering if you ever solved this problem? I have the same exact problem and it is killing me? Thank you any advice would be much appreciated.
This is a typical problem with both cisco and fw-1, as well as some other vendors, I guess. It works fine with Netscreen, as well as Linux iptables firewalls.
I would actually agree – split DNS isn’t entirely a bad thing. But it’s not (easily) doable, as the DNS isn’t used externally. DNS records for the domain are handled by an outside server. The only time I’d want them not to be is if someone is connected to the internal network (so the internal IP of the mail server would be returned). Unfortunately, in order to do that, I need to duplicate the entire domain in DNS – if I could just create the one “override” record that I need, and others could be looked up on their normal external location, it would be ideal. As of yet, I haven’t managed to get that to work.
I’m not sure that I would regard the split DNS issue as ‘kludgy’. My experience has been that you normally want that sort of set-up so that you can control information available to the internet and only offer names that are required.
Actually, the loopback gave me an inkling, and I created a loopback adapter according to some Cisco instructions I found that should do what it’s supposed to, but it still won’t.
The problem is that I have two separate and distinct companies running off of the same router (out of the same building). Each is on its own subnet. They each have their own mail server inside the network and their own web site outside the network. The mail-to-mail is easy enough: I just set up a smarthost on each side to deliver mail to the other one directly using its private IP address. The problem comes down to the client access.
If I could make the internal DNS servers “override” the external DNS address for the mail server, that would be beautiful – but I don’t especially want to set up a complete duplicate of the external DNS servers.
It wouldn’t be so frustrating if the ICMP traffic didn’t work, but since it does, it is driving me crazy.
This probably isn’t too helpful, but in my experience I’ve never been able to use external addresses from inside a NATted network. Most of the firewall devices I’ve used seem to disallow this sort of “loopback” traffic, at least over TCP. I’ve seen this on the SMC and Linksys consumer-grade routers I have at home, and it may be true with Cisco as well. I’ve never needed to come up with a workaround for it, though, since I don’t really have any hosts I need to access within our home network.
Thinking about your situation, one kludgey workaround would be to have two DNS servers, one that the outside world could see, one that only your internal network could see. Next, set up the client to refer to the desired host by a canonial name, e.g. mail.you.org instead of by IP. Then, make the external DNS server’s entry for mail.you.org point to the external IP, and the internal DNS server’s entry point to the internal IP. That way, when moving between networks, the correct IP address would be obtained automatically via DNS.
This ignores the root problem, of course, which is that you can’t send TCP traffic from the internal network, out of the firewall, and back to the internal network by referring to the external IP address. To solve that problem…. I don’t know.
I’m not sure if you can do this how you want.
In the old days, we put a couple batch files on the user’s desktop that changed out their hosts file when they were in the office so mail.domain.tld pointed to the internal IP, and when they left the office the hosts file was blank.
Now with DNS being used for Active Directory, we have seperate internal and external DNS servers. When they’re in the office mail.domain.tld resolves to 1.1.1.1 and when their out on the road, the external DNS servers resolve mail.domain.tld to 2.2.2.2. Anything that is using your domain.tld, but only accessible on the outside (ie. 3rd party hosted web site) would have an entry on the internal DNS server pointing to the external IP.