Hi Georg,
and thanks for yor reply. I tried to follow your advices but unfortunately the problem seems to be the "ip nat source" command, since when I try to type it I get the following error:

Router(config)#$ce static udp 192.168.178.200 8002 interface Dialer1 8002
ip nat source static udp 192.168.178.200 8002 interface Dialer1 8002
        ^
% Invalid input detected at '^' marker.

Everything seems to work well with "ip nat inside source static....", instead. 

Hi,

      "ip nat enable" to enable NAT, combined with "input source" to configure NAT, means using NVI NAT on the IOS device. If you don't have the command it means it's not supported. NVI NAT should be used for inter-VRF NAT. For your use-case use domain-based NAT (ip nat inside/ip nat outside).

       Security-wise, it's recommended to no longer do NAT and make the mobile devices build an IPsec tunnel to your router in order to get access to the servers on the LAN side.

Regards,

Cristian Matei.

Hello,

'ip nat enable' doesn't seem to be supported on your ISR. Use the config below (again, changes and additions marked in bold):

Current configuration : 8101 bytes
!
! Last configuration change at 14:19:19 UTC Tue Feb 11 2020
!
version 16.10
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
ip dhcp excluded-address 192.168.178.1 192.168.178.2
ip dhcp excluded-address 192.168.178.109
ip dhcp excluded-address 192.168.178.110
ip dhcp excluded-address 192.168.178.25
ip dhcp excluded-address 192.168.178.30
ip dhcp excluded-address 192.168.178.38
ip dhcp excluded-address 192.168.178.200
!
ip dhcp pool CASA_POOL
network 192.168.178.0 255.255.255.0
default-router 192.168.178.1
dns-server 192.168.178.1
!
redundancy
mode none
!
controller VDSL 0/2/0
!
!
vlan internal allocation policy ascending
!
--> interface Loopback0
--> ip address 1.1.1.1 255.255.255.255
--> ip nat inside
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface ATM0/2/0
no ip address
atm oversubscribe factor 2
no atm enable-ilmi-trap
!
interface Ethernet0/2/0
no ip address
no negotiation auto
!
interface Ethernet0/2/0.835
encapsulation dot1Q 835
ip nat inside
pppoe enable group global
pppoe-client dial-pool-number 1
ip virtual-reassembly
!
interface Vlan1
ip address 192.168.178.1 255.255.255.0
--> ip nat outside
--> ip policy route-map VLAN1_PBR
!
interface Dialer0
!
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname timadsl
ppp chap password 0 timadsl
ppp pap sent-username timadsl password 0 timadsl
ppp ipcp dns request accept
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http secure-port 8080
ip dns server
ip nat translation udp-timeout 600
ip nat translation max-entries 40000
ip nat inside source static udp 192.168.178.200 8002 interface Dialer1 8002
ip nat inside source static tcp 192.168.178.200 8002 interface Dialer1 8002
ip nat inside source static tcp 192.168.178.109 80 interface Dialer1 80
ip nat inside source static tcp 192.168.178.109 443 interface Dialer1 4443
ip nat inside source static udp 192.168.178.109 80 interface Dialer1 80
ip nat inside source static udp 192.168.178.109 443 interface Dialer1 443
ip nat inside source static tcp 192.168.178.200 81 interface Dialer1 81
ip nat inside source static udp 192.168.178.200 81 interface Dialer1 81
--> ip nat inside source list NAT_ACJ interface Dialer1 overload
--> ip nat inside source list NAT_HAIRPIN_ACL interface Loopback0 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
--> ip access-list extended NAT_HAIRPIN_ACL
--> permit ip 192.168.178.0 0.0.0.255 host 192.168.178.109
--> permit ip 192.168.178.0 0.0.0.255 host 192.168.178.200
!
--> ip access-list extended NAT_ACL
--> deny ip 192.168.178.0 0.0.0.255 192.168.178.0 0.0.0.255
--> permit ip 192.168.178.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
!
--> route-map VLAN1_PBR permit 10
--> set interface Loopback0
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
!
end

Hi,
sorry it took me so long to reply, but I can do tests just when my clients aren't using the net.

I tried the configuration, but unfortunately it didn't work... all my clients couldn't access the Internet. During the test I also checked that accessing hosts from their local IPs was ok and direct ping (i.e. to www.google.com) from the router interface worked well.
So... I had to come back to the old configuration to allow my clients to work: if you've any suggestions, you're welcome!

Thanks in advance, again!

Hello,

there was a typo in the config I have sent, did you catch that ?

--> ip nat inside source list NAT_ACJ interface Dialer1 overload  --> should be NAT_ACL

Were  your clients able to access the local resources with the public IP during the test ?

Hi,
and thank you for your patience.

I tried Georg's solution with particular attention on the source list name, but unfortunately it didn't work. I also tried what Paul suggested in the OP he linked, but I ended to the same result, since I had to consider the gig0/0 in his example as like as the Vlan1 in my case (correct me if I'm wrong).
During the tests while the clients Internet connection wasn't working, they couldn't access the local resources neither with the public IP.

Searching on the net I found it seems that starting from 12.4T and 15.x IOSes the PBR approach for the NAT hairpinning no longer works.
I found the information in this thread:
https://community.cisco.com/t5/routing/how-to-do-nat-reflection-nat-hairpin-on-a-cisco-1800-router/td-p/2754725

The problem, for me, is that it seems the PBR approach would be completely replaced with the newer NVI, but... in this way we come back at the starting point: I was wondering why my system allows the "ip nat enable" on interfaces and not supports the "ip nat source" command.

My router model is a ISR 1113-8P and the response on "show version" command is:
Cisco IOS Software [Gibraltar], ISR Software (ARMV8EL_LINUX_IOSD-UNIVERSALK9_IAS-M), Version 16.10.1b, RELEASE SOFTWARE (fc1)

I'm at your disposal to try any other idea you could suggest me.

Thank you once again!

Hello,

according to the NAT restrictions linked below:

--> NAT Virtual Interfaces (NVIs) are not supported in the Cisco IOS XE software.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-17-1/nat-xe-17-x-book/iadnat-addr-consv.html#reference_255FB71880424C21A193DF9BC9B2F957

Which means you are probably stuck with the PBR...or, as an alternative, configure a DNS entry...