[Cisco] Configureren van NAT hairpinning/NAT reflection

Pagina: 1
Acties:

Vraag


Acties:
  • 0 Henk 'm!

  • Pieter Kimpen
  • Registratie: Juni 2007
  • Laatst online: 23-11-2024
Beste mede tweakers,

Ik zit met volgend probleem waarvoor ik al enige tijd een oplossing aan het zoeken ben.
Ik heb een cpanel server draaien met daarop een aantal websites. Die draait al ettelijke jaren.

Sinds kort stuit ik tegen problemen met het curl commando. Dat moet een antwoord geven voor een aantal websites.
Ik krijg enkel het antwoord "permission denied".

Ik had hiervoor een ticket geopend bij cpanel:

Hello,


Thank you for contacting cPanel Technical Support. My name is Alex.


I see you're experiencing issues curl'ing a website hosted on your own server. In this case, this is evidence of a NAT misconfiguration:


Loopback NAT on this IP address appears to be defective


The website appears to be loading fine from my workstation, though:


I am confident the knowledge shared in the above article will guide you towards solving the issue you have outlined in this request. Would you please review the article and let me know if you have any outstanding questions or concerns?


It’s been a pleasure working with you on this issue, and I hope you are satisfied with the experience!


Thank you,
Alex Jankowiak


Goed OK. Dus ben ik naar een oplossing opzoek gegaan om dit netwerktechnisch op te lossen.
Er draait een Cisco 3845 ISR router (omwille van de vele interfaces die gebruikt worden en de kostprijs van een nieuw toestel moet deze nog even voldoen. Er komt eind dit jaar een fortigate firewall).

Onderstaande is de huidige configuratie:

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco3845
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_auth local
aaa authentication ppp default local
aaa authentication ppp VPDN_AUTH local
aaa authorization exec default local 
!
aaa session-id common
no network-clock-participate slot 1 
no network-clock-participate slot 2 
no ip source-route
no ip gratuitous-arps
ip cef
!
!
ip dhcp excluded-address 10.10.10.1
!
!
no ip bootp server
ip domain name 
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect audit-trail
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 700
ip inspect one-minute low 500
ip inspect one-minute high 1100
ip inspect udp idle-time 200
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 200 block-time 30
ip inspect name firewall icmp
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
login block-for 10 attempts 3 within 10
vpdn enable
vpdn source-ip 195.130.x.x
!
vpdn-group 1
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
!
appfw policy-name http-inspect
  application http
    content-type-verification match-req-rsp action allow alarm
    max-header-length request 1 response 1 action allow alarm
    max-uri-length 60 action reset alarm
    port-misuse default action reset alarm
    request-method rfc get action allow alarm
    audit-trail on
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4270858707
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4270858707
 revocation-check none
 rsakeypair TP-self-signed-4270858707
!
!

archive
 log config
  logging enable
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any SDM-Transactional-1
 match  dscp af21 
 match  dscp af22 
 match  dscp af23 
class-map match-any SDM-Signaling-1
 match  dscp cs3 
 match  dscp af31 
class-map match-any Voice-Traffic
 match ip dscp ef 
class-map match-any SDM-Routing-1
 match  dscp cs6 
class-map match-any SDM-Voice-1
 match  dscp ef 
class-map match-any Voice-Signal
 match ip dscp cs3 
 match ip dscp af31 
class-map match-any Video
 match ip dscp af41 
class-map match-any SDM-Management-1
 match  dscp cs2 
!
!
policy-map Voip
 class Voice-Traffic
  priority 20
 class Voice-Signal
  bandwidth percent 40
 class Video
 class class-default
  shape average 100000000
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 5
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key  address  no-xauth
crypto isakmp key  address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 3600
!
!
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set l2tppjk esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile VPN_S
 set transform-set ESP-AES128-SHA 
!
!
crypto dynamic-map l2tppjk-map 10
 set nat demux
 set transform-set l2tppjk 
!
!
crypto map cisco 10 ipsec-isakmp dynamic l2tppjk-map 
!
!
!
!
interface Tunnel0
 description "VPN S"
 ip unnumbered GigabitEthernet0/0
 tunnel source 195.130.x.x
 tunnel destination x
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN_S
!
interface GigabitEthernet0/0
 description De buitenwereld WAN
 ip address 195.130.x.x 255.255.255.248
 ip access-group 120 in
 ip verify unicast source reachable-via rx allow-default 102
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect autosec_inspect out
 ip virtual-reassembly
 no ip mroute-cache
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
 no mop enabled
 crypto map cisco
!
interface GigabitEthernet0/1
 description "Lokaal LAN"
 ip address 10.10.10.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache flow
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 media-type rj45
 no mop enabled
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface GigabitEthernet0/1/0
 description "reserve"
 no ip address
 ip access-group 120 in
 ip verify unicast source reachable-via rx allow-default 102
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect autosec_inspect out
 ip virtual-reassembly
 no ip mroute-cache
 shutdown
 negotiation auto
 no cdp enable
 no mop enabled
 crypto map cisco
!
interface FastEthernet1/0
 description "Guest network LAN interface"
 ip address 10.10.20.1 255.255.255.0
 ip access-group 110 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache flow
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet1/1
 description "Voice VLAN interface"
 ip address 10.10.30.1 255.255.255.0
 ip access-group 115 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache flow
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 no mop enabled
 service-policy output Voip
!
interface FastEthernet2/0
 description "Customer LAN "
 ip address 10.10.40.1 255.255.255.0
 ip access-group 117 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache flow
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet2/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Virtual-Template1
 description "VPN Verbinding met Iphones"
 ip unnumbered GigabitEthernet0/0
 ip access-group 130 in
 ip nat inside
 ip virtual-reassembly
 load-interval 30
 peer default ip address pool PPTP-Pool
 no keepalive
 ppp encrypt mppe 128
 ppp authentication chap ms-chap ms-chap-v2 VPDN_AUTH
 ppp ipcp dns 10.10.10.80 10.10.10.81
!
interface Vlan1
 no ip address
!
ip local pool PPTP-Pool 10.10.50.30 10.10.50.40
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 195.130.x.x
ip route 10.10.100.0 255.255.255.0 Tunnel0
ip route 192.168.2.0 255.255.255.0 Tunnel0
ip route 192.168.3.0 255.255.255.0 Tunnel0
ip route 192.168.4.0 255.255.255.0 Tunnel0
ip route 192.168.6.0 255.255.255.0 Tunnel0
ip route 192.168.7.0 255.255.255.0 Tunnel0
ip route 192.168.8.0 255.255.255.0 Tunnel0
ip route 192.168.9.0 255.255.255.0 Tunnel0
ip route 192.168.11.0 255.255.255.0 Tunnel0
ip route 192.168.12.0 255.255.255.0 Tunnel0
ip route 192.168.13.0 255.255.255.0 Tunnel0
ip route 192.168.14.0 255.255.255.0 Tunnel0
ip route 192.168.15.0 255.255.255.0 Tunnel0
ip route 192.168.254.0 255.255.255.0 Tunnel0
ip route 193.100.100.0 255.255.255.0 Tunnel0
!
!
no ip http server
no ip http secure-server
ip nat pool NAT-POOL 10.10.10.0 10.10.10.255 netmask 255.255.255.0
ip nat pool NAT-POOL-GUEST 10.10.20.0 10.10.20.255 netmask 255.255.255.0
ip nat pool NAT-POOL-VOICE 10.10.30.0 10.10.30.255 netmask 255.255.255.0
ip nat pool NAT-POOL-CUST 10.10.40.0 10.10.40.255 netmask 255.255.255.0
ip nat pool VPNPHONE-POOL 10.10.50.0 10.10.50.255 netmask 255.255.255.0
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source list 110 interface GigabitEthernet0/0 overload
ip nat inside source list 115 interface GigabitEthernet0/0 overload
ip nat inside source list 117 interface GigabitEthernet0/0 overload
ip nat inside source list 130 interface GigabitEthernet0/0 overload
ip nat inside source static udp 10.10.30.51 5060 interface GigabitEthernet0/0 5060
ip nat inside source static tcp 10.10.10.55 1 195.130.x.x 1 extendable
ip nat inside source static tcp 10.10.10.55 20 195.130.x.x 20 extendable
ip nat inside source static tcp 10.10.10.55 21 195.130.x.x 21 extendable
ip nat inside source static tcp 10.10.10.55 22 195.130.x.x 22 extendable
ip nat inside source static tcp 10.10.10.55 25 195.130.x.x 25 extendable
ip nat inside source static tcp 10.10.10.55 26 195.130.x.x 26 extendable
ip nat inside source static tcp 10.10.10.55 37 195.130.x.x 37 extendable
ip nat inside source static tcp 10.10.10.55 53 195.130.x.x 53 extendable
ip nat inside source static udp 10.10.10.55 53 195.130.x.x 53 extendable
ip nat inside source static tcp 10.10.10.55 80 195.130.x.x 80 extendable
ip nat inside source static tcp 10.10.10.55 110 195.130.x.x 110 extendable
ip nat inside source static tcp 10.10.10.55 143 195.130.x.x 143 extendable
ip nat inside source static tcp 10.10.10.55 443 195.130.x.x 443 extendable
ip nat inside source static tcp 10.10.10.55 465 195.130.x.x 465 extendable
ip nat inside source static tcp 10.10.10.55 587 195.130.x.x 587 extendable
ip nat inside source static tcp 10.10.10.55 993 195.130.x.x 993 extendable
ip nat inside source static tcp 10.10.10.55 995 195.130.x.x 995 extendable
ip nat inside source static tcp 10.10.10.55 2077 195.130.x.x 2077 extendable
ip nat inside source static tcp 10.10.10.55 2078 195.130.x.x 2078 extendable
ip nat inside source static tcp 10.10.10.55 2079 195.130.x.x 2079 extendable
ip nat inside source static tcp 10.10.10.55 2080 195.130.x.x 2080 extendable
ip nat inside source static tcp 10.10.10.55 2082 195.130.x.x 2082 extendable
ip nat inside source static tcp 10.10.10.55 2083 195.130.x.x 2083 extendable
ip nat inside source static tcp 10.10.10.55 2086 195.130.x.x 2086 extendable
ip nat inside source static tcp 10.10.10.55 2087 195.130.x.x 2087 extendable
ip nat inside source static tcp 10.10.10.55 2095 195.130.x.x 2095 extendable
ip nat inside source static tcp 10.10.10.55 2096 195.130.x.x 2096 extendable
ip nat inside source static tcp 10.10.10.55 3306 195.130.x.x 3306 extendable
ip nat inside source static tcp 10.10.10.50 80 195.130.x.x 80 extendable
ip nat inside source static tcp 10.10.10.50 443 195.130.x.x 443 extendable
ip nat inside source static tcp 10.10.10.80 25 195.130.x.x 25 extendable
ip nat inside source static tcp 10.10.10.80 80 195.130.x.x 80 extendable
ip nat inside source static tcp 10.10.10.80 110 195.130.x.x 110 extendable
ip nat inside source static tcp 10.10.10.80 443 195.130.x.x 443 extendable
ip nat inside source static tcp 10.10.10.30 3128 195.130.x.x 3128 extendable
!
ip access-list extended autosec_firewall_acl
 permit udp any any eq bootpc
 deny   ip any any
!
logging trap debugging
logging facility local2
access-list 1 permit any
access-list 100 permit tcp 10.10.10.0 0.0.0.255 any
access-list 100 permit udp any any range bootps bootpc
access-list 100 permit udp 10.10.10.0 0.0.0.255 any
access-list 100 permit icmp 10.10.10.0 0.0.0.255 any
access-list 100 permit esp 10.10.10.0 0.0.0.255 any
access-list 100 permit pim 10.10.10.0 0.0.0.255 any
access-list 100 deny   ip 192.168.168.0 0.0.0.255 any
access-list 100 deny   ip any any
access-list 101 permit ip 192.168.168.0 0.0.0.255 any
access-list 102 permit udp any any eq bootpc
access-list 110 deny   ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 110 permit udp any any range bootps bootpc
access-list 110 deny   ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 110 permit icmp 10.10.20.0 0.0.0.255 any
access-list 110 permit tcp 10.10.20.0 0.0.0.255 any
access-list 110 permit udp 10.10.20.0 0.0.0.255 any
access-list 110 permit esp 10.10.20.0 0.0.0.255 any
access-list 110 deny   ip any any
access-list 115 permit tcp 10.10.30.0 0.0.0.255 any
access-list 115 permit udp any any range bootps bootpc
access-list 115 permit udp 10.10.30.0 0.0.0.255 any
access-list 115 permit esp 10.10.30.0 0.0.0.255 any
access-list 115 permit icmp 10.10.30.0 0.0.0.255 any
access-list 115 deny   ip any any
access-list 117 deny   ip 10.10.10.0 0.0.0.255 10.10.40.0 0.0.0.255
access-list 117 deny   ip 10.10.40.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 117 permit udp any any range bootps bootpc
access-list 117 permit tcp 10.10.40.0 0.0.0.255 any
access-list 117 permit udp 10.10.40.0 0.0.0.255 any
access-list 117 permit esp 10.10.40.0 0.0.0.255 any
access-list 117 permit icmp 10.10.40.0 0.0.0.255 any
access-list 117 deny   ip any any
access-list 120 permit tcp 84.197.75.0 0.0.0.255 host 195.130.157.148 eq pop3
access-list 120 permit tcp any host 195.130.x.x eq www
access-list 120 permit tcp any host 195.130.x.x eq 1
access-list 120 permit tcp any host 195.130.x.x eq ftp-data
...
access-list 130 permit tcp 10.10.50.0 0.0.0.255 any
access-list 130 permit udp 10.10.50.0 0.0.0.255 any
access-list 130 permit icmp 10.10.50.0 0.0.0.255 any
access-list 130 permit esp 10.10.50.0 0.0.0.255 any
access-list 130 permit gre 10.10.50.0 0.0.0.255 any
access-list 130 deny   ip any any
no cdp run
!
!
!
control-plane
!
bridge 1 protocol ieee
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!

Authorized access only!

banner motd 
======================================================
Alleen voor bevoegd personeel! Niet bevoegd? Oprotten!
======================================================

!
line con 0
 exec-timeout 5 0
 login authentication local_auth
 transport output telnet
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 privilege level 15
 password 7 02050D4808090E25414707
 login authentication local_auth
 transport input telnet ssh
line vty 5 15
 login authentication local_auth
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end


Een oplossing bestaat uit Nat Virtual Interface. Dan kan ik aan NAT loopback doen en werkt alles wel. Alleen is dit zoals overal te lezen is zwaar belastend voor de CPU van de router en nefast voor de snelheid. (dan behoud ik van de huidige snelheid 1/3de.

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
ip nat source list 100 interface GigabitEthernet0/0 overload
ip nat source list 110 interface GigabitEthernet0/0 overload
ip nat source list 115 interface GigabitEthernet0/0 overload
ip nat source list 117 interface GigabitEthernet0/0 overload
ip nat source list 130 interface GigabitEthernet0/0 overload

ip nat source static udp 10.10.30.51 5060 interface GigabitEthernet0/0 5060
ip nat source static tcp 10.10.10.55 1 195.130.x.x 1 extendable
ip nat source static tcp 10.10.10.55 20 195.130.x.x 20 extendable
ip nat source static tcp 10.10.10.55 21 195.130.x.x 21 extendable
ip nat source static tcp 10.10.10.55 22 195.130.x.x 22 extendable
ip nat source static tcp 10.10.10.55 25 195.130.x.x 25 extendable
ip nat source static tcp 10.10.10.55 26 195.130.x.x 26 extendable
ip nat source static tcp 10.10.10.55 37 195.130.x.x 37 extendable
ip nat source static tcp 10.10.10.55 53 195.130.x.x 53 extendable
ip nat source static udp 10.10.10.55 53 195.130.x.x 53 extendable
ip nat source static tcp 10.10.10.55 80 195.130.x.x 80 extendable
...
interface GigabitEthernet0/0
ip nat enable
no ip redirects
interface GigabitEthernet0/1
ip nat enable
no ip redirects
interface FastEthernet1/0
ip nat enable
no ip redirects
interface FastEthernet1/1
ip nat enable
no ip redirects
interface FastEthernet2/0
ip nat enable
no ip redirects
interface Virtual-Template1
ip nat enable
no ip redirects


Er zijn nog andere oplossingen mogelijk via een loopback interface (heb ik gelezen). Alleen begrijp ik niet goed de opzet daarvan. Moet er dan gewerkt worden met policy maps voor elk nat statement of hoe gaat dit juist in zijn werk?
Kan iemand van jullie mij even assisteren om voor NAT loopback:hairpinning/NAt reflection/... tot een oplossing te komen die minder belastend is voor de router?

Dat mag eventueel met extra uitleg... ik leer graag bij.

Alle reacties


Acties:
  • 0 Henk 'm!

  • Ghostface9000
  • Registratie: Januari 2009
  • Laatst online: 17:29
Je hebt het probleem met dat curl commando enkel op de lan ? Niet als je extern verbinding maakt ?

Ik lees dat deze cisco router inderdaad geen nat loopback functionaliteit heeft.

Heb je een eigen dns server draaien intern ? Je zou een a record kunnen maken die verwijst naar het lokale ip van de server om dit zo op te lossen.

[ Voor 4% gewijzigd door Ghostface9000 op 09-08-2021 10:48 ]


Acties:
  • 0 Henk 'm!

  • Pieter Kimpen
  • Registratie: Juni 2007
  • Laatst online: 23-11-2024
Hoi Ghostface9000,

Dank voor de snelle reactie.

Ik krijg volgende fout:

curl www.m.....be
curl: (7) Failed connect to www.m....be:80; Connection refused
[root@ares ~]#


Ik heb eigen DNS servers draaien. Daarin zitten voor iedere website de nodige A records. Dat is dus al in orde.

GVD.... ik heb de DNS nog eens nagekeken. Dat domein stond er inderdaad nog niet tussen (er staan meer dan 7800 zones op die servers...)

[root@ares ~]# curl www.....be
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://www.m....be/">here</a>.</p>
</body></html>
[root@ares ~]#

Nu lukt het zonder problemen.
Dat lost natuurlijk mijn origineel vraagstuk nog niet op (maar ik ben wel al heel blij met deze snelle reactie en oplossing).
De laatste maanden waren voor mij zeer vermoeiende maanden... Dan vergeet je zaken.

Ik laat het topic nog open. Ik ga graag na of er nog andere oplossingen zijn voor de originele NAT hairpinning/reflection vraag.

Heel erg bedankt allen!

Acties:
  • 0 Henk 'm!

  • nl0pat
  • Registratie: November 2004
  • Laatst online: 26-05 10:35
Edit: never mind deze suggestie was al gegeven..

[ Voor 85% gewijzigd door nl0pat op 09-08-2021 19:35 ]