Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1381
Views
0
Helpful
2
Replies

Hairpin NAT - IOS-XE (CSR1000v)

bstaton
Level 1
Level 1

‎08-07-2018 10:09 AM

Hi,

 

My environment is using CSR1000 virtual routers, running IOS-XE 13.6 and I am having trouble getting hairpin NAT working, and could use some help.

 

I have a pretty standard NAT setup as illustrated below (ignore the router/switch models, I just used packet tracer to illustrate)

nat_network.PNG

 

The main issue is that the 'Local Client' cannot browse to the web server in his own LAN using the global NAT address, which the DNS in my environment is serving up, but the 'Internet Client' has no issue. Additionally, using the private IP, the 'Local Client' can connect, as expected.

 

From what I've been reading on the support forums, I need to configure hairpin NAT, however, the recommendations for setting up NVI, or using the loopback method, don't work on IOS-XE, and the only solution I've seen mentioned is using VASI, but I'm not sure how to set that up and could really use some help. 

 

I've also heard of solving this issue using split DNS, having a DMZ, or simply just editing the hosts file for the local clients, but these aren't options I'm able to use, unfortunately. I'm open to alternatives, however, if there is a better way to avoid this problem entirely. :)

 

Here's the relevant config of my NAT and interface setup:

 

interface GigabitEthernet1
  ip address 123.0.0.1 255.255.255.252
  ip nat outside
  no shutdown

interface GigabitEthernet2
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  no shutdown

ip nat inside source list 150 interface GigabitEthernet1 overload
access-list 150 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source static tcp 192.168.1.2 80 interface GigabitEthernet1 80

Thanks in advance for any help.

 

 

Brandon

Labels:
0 Helpful
2 Replies 2

ebenav11
Level 1
Level 1

‎08-07-2018 12:42 PM

Do you can try add ip host entries in the Border router?

 

In the NAT environment you need two zones (in/out) for to create the translation tables.

 

Kind regards

 

0 Helpful

dastrix80
Level 1
Level 1
In response to ebenav11

‎08-08-2018 05:58 PM

Hi There, Im running the same IOS-XE on a 4331 and have the exact same issue.

 

I want to use the Public IP in requests made internally. Externally, it works fine using my NAT configurations.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card