Hairpin NAT in Cisco CSR

Raj5 · ‎06-22-2020

Hi,

I am having a network with 3 Server/Nodes connected behind Cisco CSR router in Openstack Platform and have been configured with Static NAT. There are 3 Public/WAN IP's mapped to these nodes using static NAT.

Problem Statement: Unable to ping/reach the Public IP of the server/s from the internal network. Able to reach via internal IP's. Able to reach the nodes on the Public/WAN IP from the outside world.

Request: How do I solve this issue? Usually I didn't find this issue while I am configuring static NAT.

paul driver · ‎06-22-2020

Hello

The most simplistic solution would to use domain-less NAT if the CSR's support it if it doesnt please let me know and Ill provide you a domain-nat solution

Example:
int x/x
no ip nat inside
ip nat enable

int x/x
no ip nat outside
ip nat enable

no ip nat inside source-list x interface x
no ip nat inside source static ....etc

ip nat source-list interface x/x
ip nat source static ...etc..

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Raj5 · ‎06-23-2020

Hi Paul,

Thank you for the revert.

It seems CSR doesn't support domain-less NAT, the suggested commands are not available in the router. Please find the output of the ip nat command at the interface and config mode.

CSR(config-if)#ip nat ?

allow-static-host Allow static-ip clients

inside Inside interface for address translation

outside Outside interface for address translation

CSR(config)#ip nat ?

create Create flow entries

inside Inside address translation

log NAT Logging

name Rule name

outside Outside address translation

pool Define pool of addresses

service Special translation for application using non-standard port

settings NAT general settings

switchover NAT datapath switchover

translation NAT translation entry configuration

So kindly suggest.

Thanks & Regards,

Raj

paul driver · ‎06-24-2020

Hello
Please see attached example using domain Nat:

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Raj5 · ‎06-26-2020

Hi Paul,
Thanks for your revert and sharing the configuration.
Sorry I am a beginner in ACL's and trying to understand the configuration you shared.

1) ip access-list NAT
deny ip 172.10.1.0 0.0.0.255 172.10.1.0 0.0.0.255
permit ip ip 172.10.1.0 0.0.0.255 any
=> In this named access-list we are denying and then permitting the
same network ?

2) ip access-list Hairpin
permit ip 172.10.1.0 0.0.0.255 host 172.10.1.2
permit ip 172.10.1.0 0.0.0.255 host 172.10.1.3
permit ip 172.10.1.0 0.0.0.255 host 172.10.1.4
=> where are we applying this access-list ?

Thanks & Regards,
Raj

paul driver · ‎06-26-2020

Hello

@Raj5 wrote:

1) ip access-list NAT
deny ip 172.10.1.0 0.0.0.255 172.10.1.0 0.0.0.255
permit ip ip 172.10.1.0 0.0.0.255 any
=> In this named access-list we are denying and then permitting the
same network ?

You denying the lan subnet from being natted on the default global nat statement however return traffic for each static public host address will be policy routed to the loopback interface than natted via the Hairpin nat statement

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Raj5 · ‎06-30-2020

Hi Paul,

Thank you once again for your reply and support.

I tried the configuration you gave but unfortunately it didn't work as expected.

Even with the new configuration, I am not able to reach the Public IP's from the internal network.

Please check the attached document for the configuration applied and observations noted.

Thanks & Regards,

Raj

paul driver · ‎07-01-2020

Hello

Sorry to hear this, Can you confirm you have internet access from you clients, are they being natted?

sh ip nat translations

sh ip route
sh run

Can you post (in a file) the output from the above commands of this router please?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Raj5 · ‎07-02-2020

Hi Paul,

Yes there is internet access for the clients. Due to confidentiality couldn't share exact show run output, apologies. But have tried to collect the NAT and related configuration, hope it is ok.

Please find attached file with the configuration.

Appreciate your help and support.

Thanks & Regards,

Raj

paul driver · ‎07-02-2020

Hello

I notice you have vrf running which i wasnt aware off, So any nat statements need to be part of the vrf

example:
ip nat inside source list NAT interface s0/0 vrf WAN
ip nat inside source list Hairpin interface s0/0 vrf WAN
ip nat inside source static 172.10.1.2 24.1.1.11 vrf WAN
etc...

Lastly I assume you have the correct routing inplace between any additional vrf's and global route tables?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Raj5 · ‎07-07-2020

Hello Paul,

Thanks for your support.

It is still not working, please find the attached logs.

FYI- Got a warning “Use P2P interface for route-map setinterface clause” after executing “ip policy route-map Nat_Policyroute” command.

Appreciate your help

Thanks & Regards,

Raj

Sharanjeet_Kumar · ‎12-28-2024

Hi @paul driver
i have encountered the same issue domainless NAT is not supporting
for domain NAT
i don't know why you used this APIPA IP
int lo100
ip address 169.254.255.254 255.255.255.255
ip nat inside