05-04-2020 04:28 AM
Could someone tell me whether it is possible to configure what I understand is called 'NAT Hairpinning' on an 897VA?
The outcome I'm trying to achieve is for an internal host to connect to another internal host but by using the dynamic public IP address assigned to the Dialer interface by the ISP instead of the internal IP assigned to the host by router DHCP.
I.e. A host with an internal IP address of 192.168.3.100 connects to the public IP address assigned to Dialer 1 on port 32783, and eventually gets connected to 192.168.5.80 on port 32783.
Full router config below:
! ! Last configuration change at 21:44:22 UTC Wed Apr 29 2020 ! version 15.5 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! ! enable secret 5 xxxxx enable password 7 xxxxx ! no aaa new-model ethernet lmi ce ! ! ! ip dhcp excluded-address 192.168.2.1 192.168.2.99 ip dhcp excluded-address 192.168.2.240 192.168.2.254 ip dhcp excluded-address 192.168.3.1 192.168.3.99 ip dhcp excluded-address 192.168.3.240 192.168.3.254 ip dhcp excluded-address 192.168.4.1 192.168.4.99 ip dhcp excluded-address 192.168.4.240 192.168.4.254 ip dhcp excluded-address 192.168.5.1 192.168.5.99 ip dhcp excluded-address 192.168.5.200 192.168.5.254 ip dhcp excluded-address 192.168.6.1 192.168.6.39 ip dhcp excluded-address 192.168.6.240 192.168.6.254 ip dhcp excluded-address 192.168.7.1 192.168.7.99 ip dhcp excluded-address 192.168.7.240 192.168.7.254 ! ip dhcp pool Cameras import all network 192.168.2.0 255.255.255.0 default-router 192.168.2.254 dns-server 192.168.2.254 lease 7 ! ip dhcp pool Users import all network 192.168.3.0 255.255.255.0 default-router 192.168.3.254 dns-server 192.168.3.254 lease 7 ! ip dhcp pool Secure import all network 192.168.4.0 255.255.255.0 default-router 192.168.4.254 dns-server 8.8.8.8 8.8.4.4 lease 7 ! ip dhcp pool Servers import all network 192.168.5.0 255.255.255.0 default-router 192.168.5.254 dns-server 192.168.5.254 lease 7 ! ip dhcp pool GuestWiFi import all network 192.168.6.0 255.255.255.0 default-router 192.168.6.254 dns-server 192.168.6.254 ! ip dhcp pool Management import all network 192.168.7.0 255.255.255.0 default-router 192.168.7.254 dns-server 192.168.7.254 lease 7 ! ! ! ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip inspect name FW dns ip inspect name FW icmp router-traffic ip inspect name FW tcp router-traffic ip inspect name FW udp router-traffic ip ddns update method no-ip HTTP add xxxxx interval maximum 0 0 5 0 ! ip cef no ipv6 cef ! ! multilink bundle-name authenticated ! ! license udi pid C897VA-M-K9 sn xxxxx ! ! vtp mode transparent ! ! controller VDSL 0 ! vlan 2 name Cameras ! vlan 3 name Users ! vlan 4 name Secure ! vlan 5 name Servers ! vlan 6 name GuestWiFi ! vlan 7 ! vlan 10 name LAN-VRF01666 ! vlan 30 name LAN-VRF01667 ! ! ! ! interface ATM0 no ip address shutdown no atm ilmi-keepalive ! interface Ethernet0 no ip address ! interface Ethernet0.101 encapsulation dot1Q 101 no ip redirects no ip proxy-arp ip virtual-reassembly in pppoe enable group global pppoe-client dial-pool-number 1 ! interface GigabitEthernet0 no ip address ! interface GigabitEthernet1 no ip address ! interface GigabitEthernet2 switchport access vlan 2 no ip address ! interface GigabitEthernet3 switchport access vlan 3 no ip address ! interface GigabitEthernet4 switchport access vlan 4 no ip address ! interface GigabitEthernet5 switchport access vlan 5 no ip address ! interface GigabitEthernet6 switchport access vlan 6 no ip address ! interface GigabitEthernet7 switchport access vlan 7 no ip address ! interface GigabitEthernet8 ip address 192.168.8.254 255.255.255.0 ip nat outside ip virtual-reassembly in no ip route-cache duplex auto speed auto ! interface Vlan1 ip address 192.168.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Vlan2 ip address 192.168.2.254 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Vlan3 ip address 192.168.3.254 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Vlan4 ip address 192.168.4.254 255.255.255.0 ip nat inside ip virtual-reassembly in ip policy route-map GE-WAN ! interface Vlan5 ip address 192.168.5.254 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Vlan6 ip address 192.168.6.254 255.255.255.0 ip access-group 102 in ip nat inside ip virtual-reassembly in ! interface Vlan7 ip address 192.168.7.254 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Dialer1 description Dialer interface for VDSL mtu 1492 ip ddns update hostname xxxxx ip ddns update no-ip ip address negotiated ip access-group 105 in no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip flow ingress ip nat outside ip inspect FW out ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ppp authentication pap chap ms-chap callin ppp chap hostname bthomehub@btbroadband.com ppp chap password 7 xxxxx ppp ipcp address accept no cdp enable ! ip forward-protocol nd ip http server no ip http secure-server ! ! ip dns server ip nat inside source list 1 interface GigabitEthernet8 overload ip nat inside source list 2 interface Dialer1 overload ip nat inside source static tcp 192.168.5.80 32400 interface Dialer1 32400 ip nat inside source static tcp 192.168.5.80 32783 interface Dialer1 32783 ip nat inside source static tcp 192.168.5.80 32782 interface Dialer1 32782 ip nat inside source static tcp 192.168.5.80 32785 interface Dialer1 32785 ip nat inside source static tcp 192.168.5.80 32784 interface Dialer1 32784 ip nat inside source static tcp 192.168.5.80 32789 interface Dialer1 32789 ip nat inside source static tcp 192.168.5.80 32788 interface Dialer1 32788 ip nat inside source static tcp 192.168.7.2 8067 interface Dialer1 8067 ip nat inside source static tcp 192.168.3.137 81 interface Dialer1 81 ip route 0.0.0.0 0.0.0.0 Dialer1 ! ip access-list extended GuestWiFi deny ip any 192.168.1.0 0.0.0.255 deny ip any 192.168.2.0 0.0.0.255 deny ip any 192.168.3.0 0.0.0.255 deny ip any 192.168.4.0 0.0.0.255 deny ip any 192.168.5.0 0.0.0.255 deny ip any 192.168.7.0 0.0.0.255 permit ip any any ! ! route-map GE-WAN permit 10 match ip address 100 set ip next-hop 192.168.8.1 ! access-list 1 permit 192.168.4.0 0.0.0.255 access-list 2 permit 192.168.3.0 0.0.0.255 access-list 2 permit 192.168.1.0 0.0.0.255 access-list 2 permit 192.168.2.0 0.0.0.255 access-list 2 permit 192.168.5.0 0.0.0.255 access-list 2 permit 192.168.6.0 0.0.0.255 access-list 2 permit 192.168.7.0 0.0.0.255 access-list 100 deny ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 100 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 100 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 100 deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 100 deny ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 100 deny ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.255 access-list 100 permit ip 192.168.4.0 0.0.0.255 any access-list 102 deny tcp any any eq telnet access-list 102 permit ip any any access-list 105 permit icmp 192.168.0.0 0.0.255.255 any echo access-list 105 permit icmp 192.168.0.0 0.0.255.255 any echo-reply access-list 105 permit tcp any any eq 32400 access-list 105 permit tcp any any eq 32783 access-list 105 permit tcp any any eq 32782 access-list 105 permit tcp any any eq 32785 access-list 105 permit tcp any any eq 32784 access-list 105 permit tcp any any eq 32789 access-list 105 permit tcp any any eq 32788 access-list 105 permit tcp any any eq 8067 access-list 105 permit tcp any any eq 81 access-list 105 deny ip any any ! control-plane ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! line con 0 password 7 xxxxx login no modem enable line aux 0 line vty 0 exec-timeout 40 0 privilege level 15 password 7 xxxxx logging synchronous login transport input telnet line vty 1 4 privilege level 15 password 7 xxxxx logging synchronous login transport input telnet ! scheduler allocate 20000 1000 ! end
05-04-2020 04:41 AM
Hello
Please review this other post related to the same subject - here
05-04-2020 01:16 PM
Hey @paul driver thanks for the quick response.
I did actually search for related articles, but could only see topics related to configuring ASA devices, so the article you pointed me at was very useful.
However, I've read it several times, and tried to apply some of the config (in an attempt to not duplicate some of the nat statements I have in place already) but I still can't get it to work.
I can see that I need to create a loopback interface, give it an IP address outside my existing VLAN ranges, and an 'ip nat inside' statement.
I can also see that I need to create a route-map, associated access-lists and ip nat statements, and add the ip policy route-map statement to my Dialer 1 interface.
Is there anything else you could recommend that I should make sure is in place in order for it to work?
Kind Regards,
Abe
05-04-2020 01:49 PM
Hello Abe
Sorry you've been unable follow my last post,
Can you please attach the current running configuration of your rtr in a txt file i will see it i can assist you.
05-04-2020 03:22 PM
Hi @paul driver ,
Thank you for helping with this, I was getting the gist, but I was running into issues applying the logic in your other post and trying not overriding / conflicting with the nat statements I already have in place.
The current running-config is attached, any advice would be hugely appreciated.
Kind Regards,
Abe.
05-04-2020 03:44 PM
Hello
A couple of questions?
Confirm what is your primary interface for wan traffic?
Do you wish to provide wan resiliency/nat for the primary interface in case it fails.
05-04-2020 04:14 PM
Hi Paul,
Primary interface for wan traffic is Dialer 1. In normal operation, hosts in VLAN 4 would go out to the Internet via GE8, everything else would go out via DIaler 1. It would be awesome to be able to configure resiliency, I think you had provided some advice on that before, but I'm afraid I hit 'cognitive lock' and had to just stick to the parts of the config that I could just about understand.
Kind Regards,
Abe
05-05-2020 02:12 AM
Hello @Abe_00
I have sent you an updated change list
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide