I have just changed from a nethear FVS336 to a Cisco RVS 325 and have one last item I cannot get set up.
We use a number of http services behind the router and access the using a port for each server, so port 8123 gets forwarded to port 80 on server IP x.x.x.123.
I have setup port 8123 in the Port Address Transalation Table to set sent to x.x.x.123 port 80 and this work ok from outside the office using the dns entry for the routers public IP.
However when accessing this from inside the office this does not work. Our previous netgear router worked ok.
From some investigation today this sounds like its a NAT loopback/hairpin issue if I understand the problem correctly.
How do i get this to work on the RVS325?
Yes this is a hairpinning issue. This is actually one of the most popular discussions.
But anyway, you can try the below config:
ip add 10.10.10.1 255.255.255.0
ip nat inside
ip add 22.214.171.124 255.255.255.0
ip nat outside
ip add 10.11.11.1 255.255.255.255
ip nat inside
ip virtual-reassembly in
ip access-list extended LAN_HAIRPIN
permit ip 10.10.10.0 0.0.0.255
route-map LAN_HAIRPIN permit 10
match address LAN_HAIRPIN
set ip next-hop 10.11.11.2
ip policy route-map LAN_HAIRPIN
You could have tried using NVI which is much simpler, but i don't think the RVS series supports that. But i might be wrong.
Hope this helps.
Route map states that any packets that match access-list LAN_HAIRPIN will have the next hop set to 10.11.11.2 and be routed "out" the loopback interface. All other packets will be routed normally. We use 10.11.11.2 because this next-hop is seen as located on the loopback interface which would result in policy routing to loopback0. Alternatively, we could have used "set interface loopback0" which would have done the same thing.
Thank you for the explanation. However, I am confused by this then:
ip add 10.11.11.1 255.255.255.255 - doesn't this mean that there is only one address in the loopback interface network segment? Therefore, the next hop address 10.11.11.2 is meaningless.
The 10.11.11.2 is just an arbitrary value as you cannot have a next-hop pointing to the router itself.
Like i said previously, you could have used the set interface loopback0. Basically what will happen is that loopback0 will do a 'recursive lookup'.