cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5005
Views
5
Helpful
11
Replies

Access my web server via the public IP address

Rajkob
Level 1
Level 1

I relatively new to routers and how they work and I've been struggling with this for a while. I have Cisco 4331 router and  I want to access my web server via the public IP address on my internal network. The local server I am attempting to access  has separate public IP address from the address we are using to access the internet. Router has 4 physical interfaces and 3 are configured, one for WAN a two for LAN. I have been reading about NAT hairpin but I am not sure how to implement it in mz configuration. Please help.

1 Accepted Solution

Accepted Solutions

Hello

Try the following:

int loopback 99
description nat_hairpining
ip address 172.16.1.100 255.255.255.255
ip nat inside

int gig0/0
ip nat outside
no ip redirects
ip policy-route NAT_PBR

ip access-list extended 101
5 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255


route-map NAT_PBR
set interface loopback 99

ip access-list nat-pinning
permit ip 192.168.1.0 0.0.0.255 host 192.168.1.27
permit ip 192.168.1.0 0.0.0.255 host 192.168.1.28
permit ip 192.168.1.0 0.0.0.255 host 192.168.1.115

ip nat inside source list nat-pinning interface loopback99


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

11 Replies 11

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

Here is a long discussion on the same:

https://community.cisco.com/t5/routing/how-to-do-nat-reflection-nat-hairpin-on-a-cisco-1800-router/td-p/2754725 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

I saw that discussion but since it is rather outdated and on different version of ios I am unsure if I can use same solution?

Hello,

 

so your local server has a public IP address ? What if you modify the local HOSTS file on your clients ?

 

x.x.x.x www.myserver.com

 

where x.x.x.x is the IP address of your server ?

 

 

I need to access my web server via public IP address i tried with host file and it did not worked.

Hello

Try using domain-less NVI nat (no ip inside / ip outside domains)
Have a look here


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I tried this solution but I am getting flowing error when I try suggested command:

# ip nat source static tcp 192.168.1.27 443 79.101.38.238 443 extendable
ip nat source static tcp 192.168.1.27 443 79.101.38.238 443 extendable
^
% Invalid input detected at '^' marker.

Hello,

 

either configure 'ip nat enable' on your interfaces and:


ip nat source static tcp 192.168.1.27 443 79.101.38.238 443 extendable

 

or 'ip nat inside' and 'ip nat outside' and:

 

ip nat inside source static tcp 192.168.1.27 443 79.101.38.238 443 extendable

 

 

Hello

The OP suggests that you have a successful working topology using domain based network translation however you wish to access an internal web server via it natted public ip address.

Domain based nat (ip inside/ip outside) by default possibly due the nat order wont allow this to happen.

To use domain-less NAT you need to enable it on the interface as suggested by @Georg Pauwen  and then change you current nat statements exactly the same but minus the "inside or outside" appended however if this isn't applicable it could be you current ios doesn't support such option.

The other option is hairpining a very good suggestion by @Deepak Kumar thats a bit more tricky to implement but it should work as your desire..

Could you post the running-config of your router please.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Here is my configuration. Public IP of server is 79.101.38.238 and it is on sub domain hbdev.nites.rs.

 

 

 

Wed Oct 02 2019 08:17:25 GMT+0200 (Central Europe Standard Time)
===================================================================================
#sh run
Building configuration...
Current configuration : 28343 bytes
!
!
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!

!
!
interface Loopback100
ip address 172.30.0.1 255.255.255.0
!
interface GigabitEthernet0/0/0
ip flow monitor NFAmonitor input
ip flow monitor NFAmonitor output
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nbar protocol-discovery
ip tcp adjust-mss 1452
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description Internet Optika Telekom$ETH-WAN$
ip address 93.87.83.246 255.255.255.252
ip nat outside
ip nbar protocol-discovery
ip access-group 110 in
negotiation auto
crypto map NITES_CMP
ip virtual-reassembly
!
interface GigabitEthernet0/0/2
ip flow monitor NFAmonitor input
ip address 192.168.2.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
interface Virtual-Template100 type tunnel
ip unnumbered Loopback100
ip mtu 1400
ip nat inside
tunnel mode ipsec ipv4
tunnel protection ipsec profile AnyConnect-EAP
!
ip local pool VPNPOOL 10.7.1.5 10.7.1.150
ip nat inside source static tcp 192.168.1.115 20 79.101.38.235 20 extendable
ip nat inside source static tcp 192.168.1.115 21 79.101.38.235 21 extendable
ip nat inside source static tcp 192.168.1.115 443 79.101.38.235 443 extendable
ip nat inside source static udp 192.168.1.115 1194 79.101.38.235 1194 extendable
ip nat inside source static tcp 192.168.1.115 1723 79.101.38.235 1723 extendable
ip nat inside source static 192.168.1.115 79.101.38.235 route-map nonat
ip nat inside source static tcp 192.168.1.27 80 79.101.38.238 80 extendable
ip nat inside source static tcp 192.168.1.27 443 79.101.38.238 443 extendable
ip nat inside source static tcp 192.168.1.28 22 79.101.38.238 11022 extendable
ip nat inside source static tcp 192.168.1.28 5432 79.101.38.238 65203 extendable
ip nat inside source list 101 interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 93.87.83.245
!
ip ssh version 2
!
!
ip access-list extended ENIT_SA
permit ip 192.168.1.0 0.0.0.255 10.0.178.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 10.0.178.0 0.0.0.255
ip access-list extended Egress
permit tcp host 93.87.83.246 any
permit udp host 93.87.83.246 any
permit gre host 93.87.83.246 any
permit ip host 79.101.38.235 any
ip access-list extended Ingress1
permit ip host 212.200.59.49 any
permit ip host 93.87.11.177 any
permit udp any host 79.101.38.235 eq 1194
permit udp any host 93.87.83.246 eq isakmp
permit ip host 194.145.153.109 any
permit tcp any host 93.87.83.246 eq 6881
permit udp any host 93.87.83.246 eq 6881
permit icmp host 93.87.83.245 host 93.87.83.246
permit ip host 81.93.72.50 any
permit ip host 77.77.208.118 any
permit ip host 217.195.163.130 any
permit tcp any host 79.101.38.235 eq ftp
permit tcp any host 79.101.38.235 eq 443
permit tcp any host 79.101.38.235 eq 1723
permit tcp any host 79.101.38.235 gt 1023
permit ip 194.145.153.0 0.0.0.255 any
permit gre any host 93.87.83.246
permit tcp any host 93.87.83.246 eq smtp
permit udp any eq ntp host 93.87.83.246
ip access-list extended Ingress2
permit tcp any any eq 3389
permit tcp any host 93.87.83.246 eq 3389
permit icmp any any
permit icmp any host 93.87.83.246
permit tcp any host 93.87.83.246 eq login
permit udp any host 93.87.83.246 eq domain
permit tcp any host 93.87.83.246 eq domain
permit tcp any host 93.87.83.246 eq 69
permit tcp any host 93.87.83.246 eq sunrpc
permit tcp any host 93.87.83.246 eq 161
permit tcp any host 93.87.83.246 eq 162
permit udp any host 93.87.83.246 eq snmp
permit udp any host 93.87.83.246 eq snmptrap
permit tcp any host 93.87.83.246 eq 500
permit tcp any host 93.87.83.246 eq cmd
permit udp any host 93.87.83.246 eq syslog
permit tcp any host 93.87.83.246 eq ftp
permit tcp any host 93.87.83.246 eq ftp-data
permit tcp any host 93.87.83.246 eq pop3
permit tcp any host 93.87.83.246 eq 22
permit tcp any any eq telnet
permit tcp any host 93.87.83.246 eq telnet
permit ip host 0.0.0.0 any
permit ip 127.0.0.0 0.255.255.255 any
permit ip 224.0.0.0 31.255.255.255 any
permit ip 10.0.0.0 0.255.255.255 any
permit tcp any any eq www
permit udp any any eq echo
permit udp any any eq tftp
permit udp any any eq non500-isakmp
permit tcp any host 93.87.83.246 eq www
permit ip 172.16.0.0 0.15.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
permit ip host 93.87.83.246 any
permit tcp any any eq 55067
permit tcp any host 93.87.83.246 eq 443
permit tcp any any eq 9100
permit tcp any host 93.87.83.246 eq 5900
permit tcp any host 93.87.83.246 eq 5632
ip access-list extended NITES_BL
permit ip 192.168.1.0 0.0.0.255 10.0.10.0 0.0.1.255
permit ip 192.168.2.0 0.0.0.255 10.0.10.0 0.0.1.255
permit ip 172.17.11.0 0.0.0.255 10.0.10.0 0.0.1.255
ip access-list extended NITES_PR
permit ip 192.168.1.0 0.0.0.255 10.0.20.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 10.0.20.0 0.0.0.255
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.20.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.178.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.10.0 0.0.1.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.7.1.0 0.0.0.255
access-list 101 deny ip 192.168.2.0 0.0.0.255 10.0.20.0 0.0.0.255
access-list 101 deny ip 192.168.2.0 0.0.0.255 10.0.178.0 0.0.0.255
access-list 101 deny ip 192.168.2.0 0.0.0.255 10.0.10.0 0.0.1.255
access-list 101 deny ip 192.168.2.0 0.0.0.255 10.7.1.0 0.0.0.255
access-list 101 deny ip host 192.168.1.40 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip 10.7.1.0 0.0.0.255 any
access-list 110 deny tcp any host 93.87.83.246 eq www
access-list 110 deny tcp any host 93.87.83.246 eq 443
access-list 110 permit tcp any host 79.101.38.235 eq ftp-data
access-list 110 permit tcp any host 79.101.38.235 eq ftp
access-list 110 permit tcp any host 79.101.38.235 eq 443
access-list 110 permit tcp any host 79.101.38.235 eq 1723
access-list 110 permit tcp any host 79.101.38.235 gt 1023
access-list 110 permit udp any host 79.101.38.235 eq 1194
access-list 110 permit tcp any any eq 1723
access-list 110 permit ip host 104.16.218.84 host 79.101.38.235
access-list 110 permit ip host 198.148.79.54 host 79.101.38.235
access-list 110 permit ip host 212.200.190.166 host 79.101.38.235
access-list 110 permit ip host 212.190.191.166 host 79.101.38.235
access-list 110 permit gre any any
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 169.254.0.0 0.0.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
access-list 110 deny ip 224.0.0.0 31.255.255.255 any
access-list 110 permit icmp any host 93.87.83.246 echo
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any administratively-prohibited
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any packet-too-big
access-list 110 permit icmp any any reassembly-timeout
access-list 110 permit icmp any any time-exceeded
access-list 110 permit icmp any any ttl-exceeded
access-list 110 deny icmp any any
access-list 110 deny ip any host 79.101.38.235
access-list 110 permit ip any any
access-list 150 deny ip host 192.168.1.115 10.0.20.0 0.0.0.255
access-list 150 deny ip host 192.168.1.115 10.0.178.0 0.0.0.255
access-list 150 deny ip host 192.168.1.115 10.0.10.0 0.0.1.255
access-list 150 permit ip host 192.168.1.115 any
!
!
route-map nonat permit 10
match ip address 150
!
snmp-server community public RO
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 23 in
timeout login response 150
privilege level 15
length 0
transport input ssh
!
ntp master
ntp server 109.245.222.66
ntp server 147.91.8.77
!
!
!
!
!
end

Hello

Try the following:

int loopback 99
description nat_hairpining
ip address 172.16.1.100 255.255.255.255
ip nat inside

int gig0/0
ip nat outside
no ip redirects
ip policy-route NAT_PBR

ip access-list extended 101
5 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255


route-map NAT_PBR
set interface loopback 99

ip access-list nat-pinning
permit ip 192.168.1.0 0.0.0.255 host 192.168.1.27
permit ip 192.168.1.0 0.0.0.255 host 192.168.1.28
permit ip 192.168.1.0 0.0.0.255 host 192.168.1.115

ip nat inside source list nat-pinning interface loopback99


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

benji2023
Level 1
Level 1

Hello Rajkob, hello Paul,

even if a few years have passed we have a similar challenge.

We have an ISR4431 with IOS-XE 17 and would like to configure NAT hairpinning.

We understand that NAT Virtual Interfaces are not supported by IOS XE: https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/ip-addressing/b-ip-addressing/m_iadnat-addr-consv-xe.html

Therefore, we would like to try the approach described here.

I would like to know if it worked for you Rajkob?

In our case, we have three interfaces with the command ip nat outside because we have three providers and one interface with ip nat inside. We already have policy-based routing on this interface. Simplified, it currently looks like this:

 

interface Port-channel1.100
  ip nat outside
!
interface Port-channel1.101
  ip nat outside
!
interface Port-channel1.102
  ip nat outside
!
interface Port-channel1.200
  ip nat inside
  ip policy route-map RM_PBR

 

Do I have to change the configuration as follows and move the existing route map to the loopback interface?

 

interface Port-channel1.100
  ip nat outside
!
interface Port-channel1.101
  ip nat outside
!
interface Port-channel1.102
  ip nat outside
!
interface Port-channel1.200
  ip nat outside
  ip policy route-map RM_TO_LO_100

interface Loopback100
  ip address xxx.xxx.xxx.xxx
  ip nat inside
  ip policy route-map RM_BPR

 

As far as I understand, this procedure puts a higher load on the CPU. Do you have any experience here?

Thank you in advance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: