C8300 IOS-XE NAT Hairpinning

jjhupka · ‎05-17-2023

Just installed a new C8300 Edge Router, running IOS-XE 17.6.1a. I understand that IOS-XE doesn't have NVI capabilities for NAT Hairpinning. I've gone through a number of similar NAT hairpinning posts and am just having trouble connecting the dots in my head.

Our internet connection is on G0/0/0, internal network connects via sub-interface Ten0/0/4.128 (sub-interface 200 is not in use currently but will be implemented in the future). Currently NAT Overloading is working, our internal hosts can get out to the internet and external hosts can get to our FTP, as well as applications server on specified static NAT connections. The problem is that from inside our network our application points to our ISP provided address + port number. I need to get hairpinning working so that when devices locally try to connect to the application server they are successful.

I gather that I am going to need to implement a loopback, and maybe a NAT pool? Attached is current relevant config. Help getting the hairpin setup correctly would be amazing.

MHM Cisco World · ‎05-17-2023

please confirm that the interface support IP NAT enable

jjhupka · ‎05-17-2023

The interfaces do accept ip nat enable, however the command ip nat source list... Is not supported. Only ip nat inside(outside) source list... Are supported.

MHM Cisco World · ‎05-17-2023

ip nat source list <<- there is no command like this
the correct one is
ip nat inside source list

jjhupka · ‎05-17-2023

Right, agreed.

NVI on IOS had the ip nat source list command, which was what I was under the impression was used when using ip nat enable, instead of ip nat inside source list. However IOS-XE does not have that command, but still has ip nat enable. I have tried configuring my two interfaces with ip nat enable, instead of ip nat inside/outside and it just broke everything.

I just realized my config file didn't upload originally. I will get that posted tomorrow morning.

Flavio Miranda · ‎05-17-2023

Hi

Wondering, would be much easier and less time consuming fix this internally? Hairpinning sounds like a " jerry-rig" honestly.

Wouldn´t be possible just switch your application to an internal network?

jjhupka · ‎05-17-2023

In this instance, we use the application for remote demonstrations/work, but want our developers and support team locally to be able to connect and view what is happening in the remote session. So the remote part works, because external to internal NAT/port forward works fine. Plus, have you ever asked a software developer to change something. Haha.

Flavio Miranda · ‎05-17-2023

Hahahah....got it.

paul driver · ‎05-18-2023

Hello
I don't see any configuration attached, however basically if your rtr does not support Domain less nat then you need to apply some Policy based routing to accommodate the outside/inside translation for which the nat rtr has no record of any initiation such traffic

Example
int lo0
ip address 172.16.1.1 255.255.255.255
ip nat inside

route-map PBR
set interface loopback 0

int x/x
description Wan Interface
ip address 1.1.1.1 255.255.255.248
ip nat outside

int y/y
description Lan interface
ip address 10.10.10.254 255.255.255.0
ip nat outside
no ip redirects
ip policy route PBR

ip nat inside source static tcp 10.10.10.10 443 1.1.1.6 44

ip access-list extended public-nat
deny ip 10.10.10.0 0.0.0 255 10.10.10.0 0.0.0 255
permit ip 10.10.10.0 0.0.0 255 any

ip access-list extended hairpin-nat
permit ip 10.10.10.0 0.0.0 255 any host 10.10.10.10

ip nat inside source list public-nat interface x/x
ip nat inside source list hairpin-nat interface x/x
ip route 0.0.0.0 0.0.0.0 x/x 1.1.1.2

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

jjhupka · ‎05-18-2023

Here is the relevant config that I forgot:

interface GigabitEthernet0/0/0
ip address dhcp
no ip redirects
ip nat outside
negotiation auto
ip virtual-reassembly
!
!
interface TenGigabitEthernet0/0/4
no ip address
!
interface TenGigabitEthernet0/0/4.128
encapsulation dot1Q 128
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly
!
interface TenGigabitEthernet0/0/4.200
encapsulation dot1Q 200
ip address 192.168.2.2 255.255.255.0
!

ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip tftp source-interface GigabitEthernet0/0/0
ip nat inside source static tcp 192.168.1.169 4000 70.118.209.107 4000 extendable
ip nat inside source static tcp 192.168.1.15 21 interface GigabitEthernet0/0/0 21
ip nat inside source static udp 192.168.1.221 5055 interface GigabitEthernet0/0/0 5055
ip nat inside source static udp 192.168.1.221 5056 interface GigabitEthernet0/0/0 5056
ip nat inside source static udp 192.168.1.221 5057 interface GigabitEthernet0/0/0 5057
ip nat inside source static udp 192.168.1.221 5058 interface GigabitEthernet0/0/0 5058
ip nat inside source static udp 192.168.1.221 27000 interface GigabitEthernet0/0/0 27000
ip nat inside source static udp 192.168.1.221 27001 interface GigabitEthernet0/0/0 27001
ip nat inside source static udp 192.168.1.221 27002 interface GigabitEthernet0/0/0 27002
ip nat inside source static tcp 192.168.1.221 9091 interface GigabitEthernet0/0/0 9091
ip nat inside source static tcp 192.168.1.221 9092 interface GigabitEthernet0/0/0 9092
ip nat inside source static tcp 192.168.1.221 9093 interface GigabitEthernet0/0/0 9093
ip nat inside source static tcp 192.168.1.221 4530 interface GigabitEthernet0/0/0 4530
ip nat inside source static tcp 192.168.1.221 4531 interface GigabitEthernet0/0/0 4531
ip nat inside source static tcp 192.168.1.221 4532 interface GigabitEthernet0/0/0 4532
ip nat inside source static tcp 192.168.1.221 4533 interface GigabitEthernet0/0/0 4533
ip nat inside source static tcp 192.168.1.221 19091 interface GigabitEthernet0/0/0 19091
ip nat inside source static tcp 192.168.1.221 19092 interface GigabitEthernet0/0/0 19092
ip nat inside source static tcp 192.168.1.221 19093 interface GigabitEthernet0/0/0 19093
ip nat inside source static tcp 192.168.1.221 4520 interface GigabitEthernet0/0/0 4520
ip nat inside source static tcp 192.168.1.107 4001 interface GigabitEthernet0/0/0 4001
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
!
!
!
ip access-list standard 1
20 permit 192.168.1.0 0.0.0.255

paul driver · ‎05-19-2023

Hello
You need to change your default route for dhcp and add that hair-pinning the template I previously posted but amend the hairpin-nat access-list to accommodate those static nat statements.

Example (based on your configuration)
int lo0
ip address 172.16.1.1 255.255.255.255
ip nat inside

route-map PBR
set interface loopback 0

interface GigabitEthernet0/0/0
ip address dhcp
ip nat outside

interface TenGigabitEthernet0/0/4.128
encapsulation dot1Q 128
ip address 192.168.1.2 255.255.255.0
ip nat outside
no ip redirects
ip policy route PBR

ip access-list extended public-nat
deny ip 192.168.1.0 0.0.0 255 192.168.1.0 0.0.0 255
permit ip 192.168.1.0 0.0.0 255 any

ip access-list extended hairpin-nat
permit ip 192.168.1.0 0.0.0 255 any host 192.168.1.169
permit ip 192.168.1.0 0.0.0 255 any host 192.168.1.21
permit ip 192.168.1.0 0.0.0 255 any host 192.168.1.107
permit ip 192.168.1.0 0.0.0 255 any host 192.168.1.221

no ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0

ip nat inside source list public-nat interface GigabitEthernet0/0/0
ip nat inside source list hairpin-nat interface GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

jjhupka · ‎07-03-2023

Enough people are out of the office to finally try to implement this. I believe I have implemented the changes correctly, but am still having problems. I have implemented a new Vlan (200) to do my testing on so I'm having little to no impact on our production network. As such I have applied changes onto sub-interface 200. I would expect, from this, that a host at 192.168.200.1 should be able to VNC to a host at 192.168.200.17:5902, by targeting the outside global address at port 5902. All the other NAT settings for the 192.168.1.0 network, I understand won't work from inside targeting outside, because I don't have that sub-interface configured with PBR. Both the 192.168.1.0 and 200.0 networks get out to the internet with this configuration.

interface Loopback128
ip address 172.16.1.1 255.255.255.255
ip nat inside
!
interface GigabitEthernet0/0/0
ip address dhcp
ip nat outside
negotiation auto
ip virtual-reassembly
!
interface TenGigabitEthernet0/0/4.128
encapsulation dot1Q 128
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly
!
interface TenGigabitEthernet0/0/4.200
encapsulation dot1Q 200
ip address 192.168.200.2 255.255.255.0
no ip redirects
ip nat outside
ip policy route-map PBR
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip tftp source-interface GigabitEthernet0/0/0
ip nat settings interface-overload block port tcp 5900
ip nat inside source static tcp 192.168.1.169 4000 70.118.209.107 4000 extendable
ip nat inside source static tcp 192.168.1.107 4001 interface GigabitEthernet0/0/0 4001
ip nat inside source static tcp 192.168.1.221 4520 interface GigabitEthernet0/0/0 4520
ip nat inside source static tcp 192.168.1.221 19093 interface GigabitEthernet0/0/0 19093
ip nat inside source static tcp 192.168.1.221 19092 interface GigabitEthernet0/0/0 19092
ip nat inside source static tcp 192.168.1.221 19091 interface GigabitEthernet0/0/0 19091
ip nat inside source static tcp 192.168.1.221 4533 interface GigabitEthernet0/0/0 4533
ip nat inside source static tcp 192.168.1.221 4532 interface GigabitEthernet0/0/0 4532
ip nat inside source static tcp 192.168.1.221 4531 interface GigabitEthernet0/0/0 4531
ip nat inside source static tcp 192.168.1.221 4530 interface GigabitEthernet0/0/0 4530
ip nat inside source static tcp 192.168.1.221 9093 interface GigabitEthernet0/0/0 9093
ip nat inside source static tcp 192.168.1.221 9092 interface GigabitEthernet0/0/0 9092
ip nat inside source static tcp 192.168.1.221 9091 interface GigabitEthernet0/0/0 9091
ip nat inside source static udp 192.168.1.221 27002 interface GigabitEthernet0/0/0 27002
ip nat inside source static udp 192.168.1.221 27001 interface GigabitEthernet0/0/0 27001
ip nat inside source static udp 192.168.1.221 27000 interface GigabitEthernet0/0/0 27000
ip nat inside source static udp 192.168.1.221 5058 interface GigabitEthernet0/0/0 5058
ip nat inside source static udp 192.168.1.221 5057 interface GigabitEthernet0/0/0 5057
ip nat inside source static udp 192.168.1.221 5056 interface GigabitEthernet0/0/0 5056
ip nat inside source static udp 192.168.1.221 5055 interface GigabitEthernet0/0/0 5055
ip nat inside source static tcp 192.168.1.15 21 interface GigabitEthernet0/0/0 21
ip nat inside source static tcp 192.168.1.16 5900 interface GigabitEthernet0/0/0 5900
ip nat inside source static tcp 192.168.200.17 5902 interface GigabitEthernet0/0/0 5902
ip nat inside source list hairpin-nat interface GigabitEthernet0/0/0 overload
ip nat inside source list public-nat interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
!
ip access-list extended hairpin-nat
10 permit ip 192.168.200.0 0.0.0.255 host 192.168.200.17
ip access-list extended public-nat
10 deny ip 192.168.200.0 0.0.0.255 192.168.200.0 0.0.0.255
20 permit ip 192.168.200.0 0.0.0.255 any
30 permit ip 192.168.1.0 0.0.0.255 any
!
route-map PBR permit 10
set interface Loopback128

MHM Cisco World · ‎05-19-2023

the case is simple
we must break router from using RIB instead you push it to use PBR
redirect the traffic to interface that config with ip nat outside
that it.
I dont see you use PBR and in your case there is no hairpin NAT there is one INside and one OUTside NAT interface

paul driver · ‎07-04-2023

Hello

@jjhupka wrote:

interface Loopback128
ip address 172.16.1.1 255.255.255.255
ip nat inside

interface GigabitEthernet0/0/0
ip address dhcp
ip nat outside
negotiation auto
ip virtual-reassembly

interface TenGigabitEthernet0/0/4.128
encapsulation dot1Q 128
ip address 192.168.1.2 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly

interface TenGigabitEthernet0/0/4.200
encapsulation dot1Q 200
ip address 192.168.200.2 255.255.255.0
no ip redirects
ip nat outside
ip policy route-map PBR

ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip tftp source-interface GigabitEthernet0/0/0
ip nat settings interface-overload block port tcp 5900
ip nat inside source static tcp 192.168.1.169 4000 70.118.209.107 4000 extendable
ip nat inside source static tcp 192.168.1.107 4001 interface GigabitEthernet0/0/0 4001
ip nat inside source static tcp 192.168.1.221 4520 interface GigabitEthernet0/0/0 4520
ip nat inside source static tcp 192.168.1.221 19093 interface GigabitEthernet0/0/0 19093
ip nat inside source static tcp 192.168.1.221 19092 interface GigabitEthernet0/0/0 19092
ip nat inside source static tcp 192.168.1.221 19091 interface GigabitEthernet0/0/0 19091
ip nat inside source static tcp 192.168.1.221 4533 interface GigabitEthernet0/0/0 4533
ip nat inside source static tcp 192.168.1.221 4532 interface GigabitEthernet0/0/0 4532
ip nat inside source static tcp 192.168.1.221 4531 interface GigabitEthernet0/0/0 4531
ip nat inside source static tcp 192.168.1.221 4530 interface GigabitEthernet0/0/0 4530
ip nat inside source static tcp 192.168.1.221 9093 interface GigabitEthernet0/0/0 9093
ip nat inside source static tcp 192.168.1.221 9092 interface GigabitEthernet0/0/0 9092
ip nat inside source static tcp 192.168.1.221 9091 interface GigabitEthernet0/0/0 9091
ip nat inside source static udp 192.168.1.221 27002 interface GigabitEthernet0/0/0 27002
ip nat inside source static udp 192.168.1.221 27001 interface GigabitEthernet0/0/0 27001
ip nat inside source static udp 192.168.1.221 27000 interface GigabitEthernet0/0/0 27000
ip nat inside source static udp 192.168.1.221 5058 interface GigabitEthernet0/0/0 5058
ip nat inside source static udp 192.168.1.221 5057 interface GigabitEthernet0/0/0 5057
ip nat inside source static udp 192.168.1.221 5056 interface GigabitEthernet0/0/0 5056
ip nat inside source static udp 192.168.1.221 5055 interface GigabitEthernet0/0/0 5055
ip nat inside source static tcp 192.168.1.15 21 interface GigabitEthernet0/0/0 21
ip nat inside source static tcp 192.168.1.16 5900 interface GigabitEthernet0/0/0 5900
ip nat inside source static tcp 192.168.200.17 5902 interface GigabitEthernet0/0/0 5902
ip nat inside source list hairpin-nat interface GigabitEthernet0/0/0 overload
ip nat inside source list public-nat interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp

ip access-list extended hairpin-nat
10 permit ip 192.168.200.0 0.0.0.255 host 192.168.200.17
ip access-list extended public-nat
10 deny ip 192.168.200.0 0.0.0.255 192.168.200.0 0.0.0.255
20 permit ip 192.168.200.0 0.0.0.255 any
30 permit ip 192.168.1.0 0.0.0.255 any

route-map PBR permit 10
set interface Loopback128

Please append the following and test again:
no ip nat settings interface-overload block port tcp 5900
ip access-list extended public-nat
5 deny ip host 192.168.200.17 any

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

jjhupka · ‎07-10-2023

Unfortunately that did not work. It only achieved blocking the host at 200.17 from accessing the internet. I'm going to go back to the books and reading more about PBR because apparently I didn't understand that as well as I thought. It feels like there has to be more to do with the loopback or route-map. But I'm pretty new to routers.