Re: Hairpin / U-Turn NAT on 897VA

Abe_00 · ‎05-04-2020

Could someone tell me whether it is possible to configure what I understand is called 'NAT Hairpinning' on an 897VA?

The outcome I'm trying to achieve is for an internal host to connect to another internal host but by using the dynamic public IP address assigned to the Dialer interface by the ISP instead of the internal IP assigned to the host by router DHCP.

I.e. A host with an internal IP address of 192.168.3.100 connects to the public IP address assigned to Dialer 1 on port 32783, and eventually gets connected to 192.168.5.80 on port 32783.

Full router config below:

!
! Last configuration change at 21:44:22 UTC Wed Apr 29 2020
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 xxxxx
enable password 7 xxxxx
!
no aaa new-model
ethernet lmi ce
!
!
!
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp excluded-address 192.168.2.240 192.168.2.254
ip dhcp excluded-address 192.168.3.1 192.168.3.99
ip dhcp excluded-address 192.168.3.240 192.168.3.254
ip dhcp excluded-address 192.168.4.1 192.168.4.99
ip dhcp excluded-address 192.168.4.240 192.168.4.254
ip dhcp excluded-address 192.168.5.1 192.168.5.99
ip dhcp excluded-address 192.168.5.200 192.168.5.254
ip dhcp excluded-address 192.168.6.1 192.168.6.39
ip dhcp excluded-address 192.168.6.240 192.168.6.254
ip dhcp excluded-address 192.168.7.1 192.168.7.99
ip dhcp excluded-address 192.168.7.240 192.168.7.254
!
ip dhcp pool Cameras
 import all
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.254 
 dns-server 192.168.2.254 
 lease 7
!
ip dhcp pool Users
 import all
 network 192.168.3.0 255.255.255.0
 default-router 192.168.3.254 
 dns-server 192.168.3.254 
 lease 7
!
ip dhcp pool Secure
 import all
 network 192.168.4.0 255.255.255.0
 default-router 192.168.4.254 
 dns-server 8.8.8.8 8.8.4.4 
 lease 7
!
ip dhcp pool Servers
 import all
 network 192.168.5.0 255.255.255.0
 default-router 192.168.5.254 
 dns-server 192.168.5.254 
 lease 7
!
ip dhcp pool GuestWiFi
 import all
 network 192.168.6.0 255.255.255.0
 default-router 192.168.6.254 
 dns-server 192.168.6.254 
!
ip dhcp pool Management
 import all
 network 192.168.7.0 255.255.255.0
 default-router 192.168.7.254 
 dns-server 192.168.7.254 
 lease 7
!
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect name FW dns
ip inspect name FW icmp router-traffic
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip ddns update method no-ip
 HTTP
  add xxxxx
 interval maximum 0 0 5 0
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
license udi pid C897VA-M-K9 sn xxxxx
!
!
vtp mode transparent
!
!
controller VDSL 0
!
vlan 2
 name Cameras
!
vlan 3
 name Users
!
vlan 4
 name Secure
!
vlan 5
 name Servers
!
vlan 6
 name GuestWiFi
!
vlan 7 
!
vlan 10
 name LAN-VRF01666
!
vlan 30
 name LAN-VRF01667
!
! 
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
!
interface Ethernet0.101
 encapsulation dot1Q 101
 no ip redirects
 no ip proxy-arp
 ip virtual-reassembly in
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 switchport access vlan 2
 no ip address
!
interface GigabitEthernet3
 switchport access vlan 3
 no ip address
!
interface GigabitEthernet4
 switchport access vlan 4
 no ip address
!
interface GigabitEthernet5
 switchport access vlan 5
 no ip address
!
interface GigabitEthernet6
 switchport access vlan 6
 no ip address
!
interface GigabitEthernet7
 switchport access vlan 7
 no ip address
!
interface GigabitEthernet8
 ip address 192.168.8.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 no ip route-cache
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan2
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan3
 ip address 192.168.3.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan4
 ip address 192.168.4.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map GE-WAN
!
interface Vlan5
 ip address 192.168.5.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan6
 ip address 192.168.6.254 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan7
 ip address 192.168.7.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer1
 description Dialer interface for VDSL
 mtu 1492
 ip ddns update hostname xxxxx
 ip ddns update no-ip
 ip address negotiated
 ip access-group 105 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip inspect FW out
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap ms-chap callin
 ppp chap hostname bthomehub@btbroadband.com
 ppp chap password 7 xxxxx
 ppp ipcp address accept
 no cdp enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 1 interface GigabitEthernet8 overload
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source static tcp 192.168.5.80 32400 interface Dialer1 32400
ip nat inside source static tcp 192.168.5.80 32783 interface Dialer1 32783
ip nat inside source static tcp 192.168.5.80 32782 interface Dialer1 32782
ip nat inside source static tcp 192.168.5.80 32785 interface Dialer1 32785
ip nat inside source static tcp 192.168.5.80 32784 interface Dialer1 32784
ip nat inside source static tcp 192.168.5.80 32789 interface Dialer1 32789
ip nat inside source static tcp 192.168.5.80 32788 interface Dialer1 32788
ip nat inside source static tcp 192.168.7.2 8067 interface Dialer1 8067
ip nat inside source static tcp 192.168.3.137 81 interface Dialer1 81
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended GuestWiFi
 deny   ip any 192.168.1.0 0.0.0.255
 deny   ip any 192.168.2.0 0.0.0.255
 deny   ip any 192.168.3.0 0.0.0.255
 deny   ip any 192.168.4.0 0.0.0.255
 deny   ip any 192.168.5.0 0.0.0.255
 deny   ip any 192.168.7.0 0.0.0.255
 permit ip any any
!
!
route-map GE-WAN permit 10
 match ip address 100
 set ip next-hop 192.168.8.1
!
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.5.0 0.0.0.255
access-list 2 permit 192.168.6.0 0.0.0.255
access-list 2 permit 192.168.7.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 102 deny   tcp any any eq telnet
access-list 102 permit ip any any
access-list 105 permit icmp 192.168.0.0 0.0.255.255 any echo
access-list 105 permit icmp 192.168.0.0 0.0.255.255 any echo-reply
access-list 105 permit tcp any any eq 32400
access-list 105 permit tcp any any eq 32783
access-list 105 permit tcp any any eq 32782
access-list 105 permit tcp any any eq 32785
access-list 105 permit tcp any any eq 32784
access-list 105 permit tcp any any eq 32789
access-list 105 permit tcp any any eq 32788
access-list 105 permit tcp any any eq 8067
access-list 105 permit tcp any any eq 81
access-list 105 deny   ip any any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
line con 0
 password 7 xxxxx
 login
 no modem enable
line aux 0
line vty 0
 exec-timeout 40 0
 privilege level 15
 password 7 xxxxx
 logging synchronous
 login
 transport input telnet
line vty 1 4
 privilege level 15
 password 7 xxxxx
 logging synchronous
 login
 transport input telnet
!
scheduler allocate 20000 1000
!
end

paul driver · ‎05-04-2020

Hello
Please review this other post related to the same subject - here

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Abe_00 · ‎05-04-2020

Hey @paul driver thanks for the quick response.

I did actually search for related articles, but could only see topics related to configuring ASA devices, so the article you pointed me at was very useful.

However, I've read it several times, and tried to apply some of the config (in an attempt to not duplicate some of the nat statements I have in place already) but I still can't get it to work.

I can see that I need to create a loopback interface, give it an IP address outside my existing VLAN ranges, and an 'ip nat inside' statement.

I can also see that I need to create a route-map, associated access-lists and ip nat statements, and add the ip policy route-map statement to my Dialer 1 interface.

Is there anything else you could recommend that I should make sure is in place in order for it to work?

Kind Regards,

Abe

paul driver · ‎05-04-2020

Hello Abe

Sorry you've been unable follow my last post,

Can you please attach the current running configuration of your rtr in a txt file i will see it i can assist you.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Abe_00 · ‎05-04-2020

Hi @paul driver ,

Thank you for helping with this, I was getting the gist, but I was running into issues applying the logic in your other post and trying not overriding / conflicting with the nat statements I already have in place.

The current running-config is attached, any advice would be hugely appreciated.

Kind Regards,

Abe.

paul driver · ‎05-04-2020

Hello

A couple of questions?

Confirm what is your primary interface for wan traffic?
Do you wish to provide wan resiliency/nat for the primary interface in case it fails.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Abe_00 · ‎05-04-2020

Hi Paul,

Primary interface for wan traffic is Dialer 1. In normal operation, hosts in VLAN 4 would go out to the Internet via GE8, everything else would go out via DIaler 1. It would be awesome to be able to configure resiliency, I think you had provided some advice on that before, but I'm afraid I hit 'cognitive lock' and had to just stick to the parts of the config that I could just about understand.

Kind Regards,

Abe

paul driver · ‎05-05-2020

Hello @Abe_00

I have sent you an updated change list

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul