Showing results for 
Search instead for 
Did you mean: 


Alternative for Hairpinning / DNS static host entry


I want to reach a server, which resides in LAN D from client LAN A via it´s public IP (Citrix Netscaler) and https.

Both nets have the same default gateway device (Cisco 1921, 15.4(1) with virtual Interfaces).

On this device also the NAT statics for reachablity of the server from outside are configured.

Is there a way to forward packets destined for 93.XXX.XXX.XXX:443 directly to and back from, without static DNS or host entrys on any device?


Config extract:

ip nat inside source static tcp 443 93.XXX.XXX.XXX 443 extendable

interface GigabitEthernet0/0
 description *** OUTSIDE ***
 ip address 93.XXX.XXX.XXX
 ip nat outside
 ip inspect FW in
 ip inspect FW out

interface GigabitEthernet0/1.2
 description *** LAN A ***
 encapsulation dot1Q 2
 ip address
 ip nat inside

interface GigabitEthernet0/1.3
 description *** LAN D ***
 encapsulation dot1Q 3
 ip address
  ip nat inside

Help is very much appreciated.

Kind regards


Cisco Employee

Hi Alex,

Hope you are doing well!

Since you are using Citrix Netscaler I wanted to mention a new feature Automated Policy based Routing(APBR) and RISE(Remote Integrated Service Engine)  that is available on Citrix Netscaler which might ease you pain points in configuring services.

Here are some details and links

RISE (Remote Integrated Services Engine) is an innovative, industry-first architecture conceived by the Nexus Services engineering team to seamlessly integrate Nexus switches with appliances offering L2/L3/L4-L7 services. RISE makes the service appliance look like a line card in the Nexus 7K series. This integration allows any appliance to take advantage of the benefits of an in-chassis module such as increased application performance, high application availability, and data center consolidation.

RISE press release on Wall Street Journal :
RISE At A Glance white paper:
RISE announcement blog:
RISE Video at Interop:
Cisco RISE page:

Gartner blog on RISE: “Cisco and Citrix RISE to the Occasion”:
Please contact us for a demo/presentation/POC. Please send email to





Thank you for the answer.

But isn´t there a way to get my ISR Routers (1841/1921) not to NAT addresses, which they hold by there own and have statics configured for?

I´m not willing to change my switch fabric base to Cisco Nexus just to get this issue fixed.

(By the way the Nexus contruct with FEXes that have to transmit all their port traffic forward and back to their parent Nexus instead of passing it directly between their interfaces is just not acceptable)

With an ASA this isn´t a problem at all.


Kind regards.