Redirecionamento de porta, comportamento estranho em rede local

leogazio
(usa Debian)

Enviado em 14/03/2013 - 21:48h

Fala povo! Eu tô com um problema esquisito aqui em um roteador Cisco, aqui na nossa rede o IP público é fixo, configurei o redirecionamento das portas usadas no serviço aqui, entre elas a porta 80, aí é que vem a bomba, se eu acesso o meu domínio via http de fora da rede, ou seja, na rua, o redirecionamento funciona perfeitamente e eu consigo a resposta http do servidor pra onde a porta tá sendo redirecionada, normal. Mas se eu tento acessar pelo domínio internamente aqui na rede, ele não aceita a conexão, se o webserver do modem tiver ativado ele aponta pra página do webserver do modem. Eu andei pesquisando aqui e vi que é relacionado ao NAT(o mesmo que nós usamos no redirecionamento da porta). A dúvida é, que regra eu tenho que implementar no NAT pra que seja possível o acesso ao servidor internamente aqui pelo domínio e pingando pelo ip público? DNS apontando pro IP local do servidor não serve no nosso caso aqui por várias razões que vai ser difícil explicar. O modem é o "Cisco 857", segue o arquivo de configuração do modem pra quem quiser dar uma olhada;

Abraços a todos.


Building configuration...

Current configuration : 5451 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2101410903
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2101410903
revocation-check none
rsakeypair TP-self-signed-2101410903
!
!
crypto pki certificate chain TP-self-signed-2101410903
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313031 34313039 3033301E 170D3032 30333031 30313437
31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31303134
31303930 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009194 68E36C9A 7D342919 ECEE4688 B1B418B3 53C6817B 300F511D 0AA7341D
1D3E0CE1 16BFA210 2E0AB02E C7330FA8 8616CEEB 6F1BE3C8 8133A4C8 DFD341BD
83759371 0FD67612 131706C0 03BD18A0 07CDCEE0 1C130BF6 AC39FA3B C1867242
EA87116E 5013C9C7 7B7DC454 AB88CFC8 EC31161A 1B5F59B4 0C4836A7 FEDAF57C
61C10203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 391446F0
F85EE341 27069F50 8C9FF9F8 18D1764E 301D0603 551D0E04 16041439 1446F0F8
5EE34127 069F508C 9FF9F818 D1764E30 0D06092A 864886F7 0D010104 05000381
81004D9B E4779E99 0679E0B7 63D63F44 D88D7684 2C24653D 3965D959 77E385A1
559DAECC E3F5B3C5 4A79F6BF 7D37972D E432C84F A17185A0 3B6C2E4B FA63A599
3CBB9A45 C684E183 4058EA87 8D0AB8AE 8DE01AEA 4B25ECD2 35742219 7B160185
0A65E339 C044CDC8 2EA8752A 41469A40 C033FD78 DCBAFB49 2D679316 59757A5F 73F0
quit
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.100 192.168.0.254
!
ip dhcp pool cisco
network 192.168.0.0 255.255.255.0
dns-server 192.168.0.1 192.168.0.1
default-router 192.168.0.1
lease infinite
!
!
ip cef
ip inspect name CCP_LOW cuseeme
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
!
!
!
username admin privilege 15 password 0 admin
!
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip mtu 1452
ip inspect CCP_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username usuario@provedor password 0 senha_provedor
ppp ipcp dns request
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list 2 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.110 80 interface Dialer0 80
ip nat inside source static tcp 192.168.0.110 2120 interface Dialer0 2120
ip nat inside source static tcp 192.168.0.110 2121 interface Dialer0 2121
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by CCP firewall configuration
access-list 100 remark CCP_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by CCP firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 permit tcp any any eq 2121
access-list 101 permit tcp any any eq 2120
access-list 101 permit tcp any any eq www
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq domain any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

andrecanhadas
(usa Debian)

Enviado em 14/03/2013 - 23:00h

Teoricamente isso não funciona, pois seria como sair e voltar pela mesma interface.

A solução para seu caso é simples ou configura um DNS interno apontando o domínio para seu IP interno (aplicação), ou coloca no /etc/hosts:

192.168.1.10  dominio.com.br

 

no Windows o etc/hosts fica em c:\windows\system32\drives\etc\hosts

Se a aplicação estivesse no gateway seria mais facil pois bastaria liberar o INPUT no lo ex:

iptables -A INPUT -i lo -j ACCEPT

 

leogazio
(usa Debian)

Enviado em 15/03/2013 - 02:18h

Obrigado pela ajuda André. E como eu faria usando o Bind? Pode me ajudar? Abc.