Re: Hairpinning or NAT internal-to-internal on Cisco Routers

aspiandore · ‎05-25-2012

I write here to see if some kind soul can not solve my problem (which is common to seeso many people around the world).

problem:

I have a mail server (192.168.1.17) configured static NAT because it is accessible byPublic IP (PPP.PPP.PPP.PPP). Everything works properly from the outside, but if I get my Mail server (on port 443) from the internal network (192.168.1.xxx) there 'verse. This configuration is called Nat inside-to-inside is done by default by some SOHO routers(such as the TPLINK from 25 euros) but Cisco did not succeed. I search on the internet for 2 days without a get nowhere. PS: I have a Cisco 1801 router. (or 1941 as another router). If someone could respond with a shred of configuration would be grateful.

Jennifer Halim · ‎05-26-2012

Unfortunately you won't be able to do NAT inside to inside on cisco router.

Are you trying to access the mail server from the inside network on port 443 with its public IP? If this is what you are trying to achieve, it is not supported. You would need to access the mail server from the inside network with its private IP.

aspiandore · ‎05-28-2012

Meanwhile, thanks for the quick response. Yes, the problem is as you said "Areyou trying to access the mail server from inside the network on port 443 With itspublic IP?" But I doubt that it is not possible to somehow reach his public addresson port 443 from the internal network, as this option is available by default on Ciscorouters much cheaper. Searching on the internet I found many articles on the topics"NAT-on-stick" and the use of nat VRF but are not able to implement it .... someone managed to do it. Also perhaps using 2 network cards on the Exchange server if necessary.

rizwanr74 · ‎05-28-2012

Hi there,

You can resolove this issue, it is only a DNS issue.

Since your internal DNS server has no connection to public DNS servers, your internal DNS cname must point to private address instead of pointing to public address. Public DNS resolves the cname to public address and is functioning and likewise private DNS server inside your network must point to private ip address by doing so, your internal users cannot distinguish the cname in question whether it is resolve to public address or private address.

Thanks

Rizwan Rafeek

aspiandore · ‎05-30-2012

@rizwanr74:

I know the problem that affects the DNS, in fact, I specified that I try to reach (from the internal network 192.168.1.xxx) public IP address (PPP.PPP.PPP.PPP) and not the address if (cname) public .

Messaggio modificato da Alessandro Spiandore

Giuseppe Larosa · ‎05-30-2012

Be kind answer in english ....

the answer is that given by Jennifer use private IP address internally as NAT is not triggered

Best Regards

Giuseppe

rizwanr74 · ‎05-30-2012

Hi there,

Please English.

aspiandore · ‎05-31-2012

I would not use the internal IP (192.168.1.xxx) on mobile devices because otherwise every time I have to change the server address when connecting to mail server via the wireless office network (192.168.1.x)

Sorry for my answer in Italian........

roalpiza · ‎05-31-2012

Had you tried A port forwarding using the public ip address to internal ip address

Somethig like this:

Ip nat inside tcp public_ip 443 private_ip 443

Sent from Cisco Technical Support iPhone App

aspiandore · ‎06-14-2012

This not a working solution.....

Jun 14 21:00:36.403: %IP-4-DUPADDR: Duplicate address 192.168.1.17 on GigabitEthernet0/0, sourced by 0015.5d01.4605

Obviosly

Thanks for answer.....

rizwanr74 · ‎06-18-2012

Hi Aspiandore,

Like I said above, this is a DNS issue. If you want your internal users use the public ip-address instead of private address for your Mail server, then the "A" recode on your internal DNS server must point to a public address (outside address).

Your inside users PCs do get the public name resolved to private address on local DNS server (i.e. for your Mail server), is due to your local-dns resolves the name to private address with local "A" recode. In this scenario inside users' traffic for your Mail server does not even hit the router to be begin with, when it is in one local broadcast domain, your internal switch will switch-the-packet to local port on the switch, it won't even reach the router, assume your users and Mail server are on the same broadcast domain.

I hope this make sense.

thanks

Message was edited by: Rizwan Mohamed

aspiandore · ‎06-18-2012

After days of study and research have been able to produce this configuration.

interface GigabitEthernet0/0

ip vrf forwarding black

ip address 192.168.1.250 255.255.255.0

ip nat inside

ip nat enable

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

!

interface GigabitEthernet0/1

ip vrf forwarding white

ip address 192.168.1.251 255.255.255.0

ip nat inside

ip nat enable

ip virtual-reassembly in

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

!

interface ATM0/0/0.1 point-to-point

ip address pp1.pp1.pp1.pp1 255.255.255.240

ip nat outside

ip nat enable

ip virtual-reassembly in

pvc 8/35

encapsulation aal5snap

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

ip nat pool INTERNET pp1.pp1.pp1.pp1 pp1.pp1.pp1.pp1 netmask 255.255.255.0

ip nat source list 1 pool INTERNET vrf black overload

ip nat inside source list 1 pool INTERNET vrf white overload

ip nat inside source static tcp 192.168.1.17 443 pp2.pp2.pp2.pp2 443 vrf white extendable

ip route 0.0.0.0 0.0.0.0 ATM0/0/0.1

ip route vrf white 0.0.0.0 0.0.0.0 pp3.pp3.pp3.pp3 global

ip route vrf black 0.0.0.0 0.0.0.0 pp3.pp3.pp3.pp3 global

!

access-list 1 permit 192.168.1.0 0.0.0.255

where:

pp1.pp1.pp1.pp1 are my first pubblic ip

pp2.pp2.pp2.pp2 are my second pubblic ip

pp3.pp3.pp3.pp3 are my second pubblic ip

192.168.1.17 are my exchange server that use 192.168.1.251 (white vrf) ip router

all rest of my networks use 192.168.1.250 (black vrf) ip router.

Problem: all works perfectly (i'm able to navigate from inside network (192.168.1.xxx) on pp2.pp2.pp2.pp2 address)

but this configuration works with routers that have 2 ethernet interfaces like my 1941 Cisco router, not with my other 1801 Cisco router that have only an Hardware addressable ethernet interface

Anyone have an idea to apply this solution working for router that have 1 ethernet interface?

I try to use vlan1 and vlan2 but the ip packets switch randomly from Vlans with preferences on vlan1 with ip address 192.168.1.250) why this!?!? Anyone have other solutions! Thanks in advance

aspiandore · ‎06-26-2012

HI... anyone have solutions for 1801 or other 1 only ethernet interfaces router?

Francesco Pettene · ‎09-04-2012

Hi

what you need here is a NVI configuration

I'm trying to rewrite relevant parts of your config, please keep in mind to remove :

- any ip nat INSIDE/OUTSIDE ********** line, either from global and interface configurations

- any vrf related configuration

- all your NAT lines, even source nat

I will assume 192.168.1.17 is your server and 192.168.1.1250 is your default gateway:

if it doesn't work, try a clear ip nat tra * and a reboot, if you can afford that.

interface GigabitEthernet0/0

ip address 192.168.1.250 255.255.255.0

ip nat enable

interface ATM0/0/0.1 point-to-point

ip address pp1.pp1.pp1.pp1 255.255.255.240

ip nat enable

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

ip nat source list 101 interface ATM0/0/0.1 overload

ip nat source static tcp 192.168.1.17 443 pp1.pp1.pp1.pp1 443 extendable

Just for reference, this is why and it works:

http://inetpro.org/wiki/NAT:_access_outside_global_address_from_the_inside