Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
0
Helpful
2
Replies

hi ,everyone . my router is isr4321 . the router is not normal work after config nat hairpin.

fishlonely
Level 1
Level 1

‎05-14-2020 06:33 PM

hi ,everyone .

my router is isr4321 with Cisco IOS XE Software, Version 16.09.03.

I setup the nat hairpin ,but the lan user can't access the internet and the nat hairpin can't normal work.

please help.

code follow:

 


Current configuration : 4878 bytes
!
! Last configuration change at 17:08:49 UTC Thu May 14 2020
! NVRAM config last updated at 14:19:15 UTC Wed May 13 2020 by cisco
!
version 15.5
service telnet-zeroidle
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname Metalsa_Router
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable password ise00chenc
!
aaa new-model
!
!
aaa authentication ppp default local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!

 

ip domain name cisco.com
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
!
!
license udi pid ISR4331/K9 sn FDO222303L5
!
spanning-tree extend system-id
!
username cisco privilege 15 password 0 cisco
username cisco1 password 0 cisco1
username test privilege 15 password 0 %1234567a
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
mode transport
!
!
!
crypto map cisco 10 ipsec-isakmp
! Incomplete
set transform-set cisco
reverse-route
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip nat inside
!
interface GigabitEthernet0/0/0
desc *****wan*****
ip address 130.21.232.54 255.255.255.252
ip nat outside
negotiation auto
crypto map cisco
!
interface GigabitEthernet0/0/1
desc *****Lan****
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip nat outside
ip policy route-map LOCAL
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Virtual-Template1
ip address 20.20.20.254 255.255.255.0
peer default ip address pool cisco
ppp authentication chap ms-chap-v2
ppp ipcp dns 114.114.114.114
!
interface Vlan1
no ip address
shutdown
!
ip local pool cisco 20.20.20.10 20.20.20.100
ip nat translation timeout 1000
ip nat translation tcp-timeout 500
ip nat translation udp-timeout 30
ip nat translation finrst-timeout 30
ip nat translation syn-timeout 30
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 10
ip nat translation max-entries 20000
ip nat pool wan-p 130.21.232.54 130.21.232.54 netmask 255.255.255.252
ip nat inside source static tcp 192.168.1.8 3389 interface GigabitEthernet0/0/0 20207
ip nat inside source static tcp 192.168.1.8 8899 interface GigabitEthernet0/0/0 2899
ip nat inside source static tcp 192.168.1.8 8866 interface GigabitEthernet0/0/0 2866
ip nat inside source static tcp 180.166.247.158 8080 interface GigabitEthernet0/0/0 8080
ip nat inside source static tcp 180.166.247.158 8082 interface GigabitEthernet0/0/0 8082
ip nat inside source static tcp 180.166.247.158 8081 interface GigabitEthernet0/0/0 8081
ip nat inside source static tcp 192.168.1.10 20177 interface GigabitEthernet0/0/0 20177
ip nat inside source static tcp 192.168.1.10 80 interface GigabitEthernet0/0/0 8000
ip nat inside source list ACL_INTERNET_NAT interface GigabitEthernet0/0/0 overload
ip nat inside source list LOCAL interface Loopback0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 130.21.232.53
ip route 2.2.2.2 255.255.255.255 Null0
ip route 180.166.247.0 255.255.255.0 10.10.10.2
ip route 183.195.136.0 255.255.255.0 10.10.10.2
ip route 192.168.1.0 255.255.255.0 10.10.10.2
ip route 192.168.2.0 255.255.255.0 10.10.10.2
ip route 192.168.20.0 255.255.255.0 10.10.10.2
ip route 192.168.30.0 255.255.255.0 10.10.10.2
ip ssh version 1
!
!
ip access-list extended ACL_INTERNET_NAT
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.30.0 0.0.0.255 any
ip access-list extended LOCAL
permit ip 192.168.0.0 0.0.255.255 host 192.168.1.8
!
access-list 100 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 100 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 permit ip 192.168.30.0 0.0.0.255 any
!
route-map LOCAL permit 10
set interface Loopback0
!
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password ise00chenc
transport input all
line vty 5 15
password ise00chenc
!
!
end

 

Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎05-14-2020 11:25 PM

Hello,

 

what does your topology look like, where are the LAN users with IP addresses in the 192.168.0.0/16 address space ? You have two NAT outside interfaces, but GigabitEthernet0/0/1 is not specified in any NAT statement.

 

Try and make the changes marked in bold:

 

Current configuration : 4878 bytes
!
! Last configuration change at 17:08:49 UTC Thu May 14 2020
! NVRAM config last updated at 14:19:15 UTC Wed May 13 2020 by cisco
!
version 15.5
service telnet-zeroidle
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname Metalsa_Router
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable password ise00chenc
!
aaa new-model
!
aaa authentication ppp default local
!
aaa session-id common
!
ip domain name cisco.com
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
license udi pid ISR4331/K9 sn FDO222303L5
!
spanning-tree extend system-id
!
username cisco privilege 15 password 0 cisco
username cisco1 password 0 cisco1
username test privilege 15 password 0 %1234567a
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
mode transport
!
crypto map cisco 10 ipsec-isakmp
! Incomplete
set transform-set cisco
reverse-route
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip nat inside
!
interface GigabitEthernet0/0/0
desc *****wan*****
ip address 130.21.232.54 255.255.255.252
ip nat outside

--> ip policy route-map LOCAL
negotiation auto
crypto map cisco
!
interface GigabitEthernet0/0/1
desc *****Lan****
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip nat outside
--> no ip policy route-map LOCAL
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Virtual-Template1
ip address 20.20.20.254 255.255.255.0
peer default ip address pool cisco
ppp authentication chap ms-chap-v2
ppp ipcp dns 114.114.114.114
!
interface Vlan1
no ip address
shutdown
!
ip local pool cisco 20.20.20.10 20.20.20.100
ip nat translation timeout 1000
ip nat translation tcp-timeout 500
ip nat translation udp-timeout 30
ip nat translation finrst-timeout 30
ip nat translation syn-timeout 30
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 10
ip nat translation max-entries 20000
ip nat pool wan-p 130.21.232.54 130.21.232.54 netmask 255.255.255.252
ip nat inside source static tcp 192.168.1.8 3389 interface GigabitEthernet0/0/0 20207
ip nat inside source static tcp 192.168.1.8 8899 interface GigabitEthernet0/0/0 2899
ip nat inside source static tcp 192.168.1.8 8866 interface GigabitEthernet0/0/0 2866
ip nat inside source static tcp 180.166.247.158 8080 interface GigabitEthernet0/0/0 8080
ip nat inside source static tcp 180.166.247.158 8082 interface GigabitEthernet0/0/0 8082
ip nat inside source static tcp 180.166.247.158 8081 interface GigabitEthernet0/0/0 8081
ip nat inside source static tcp 192.168.1.10 20177 interface GigabitEthernet0/0/0 20177
ip nat inside source static tcp 192.168.1.10 80 interface GigabitEthernet0/0/0 8000
ip nat inside source list ACL_INTERNET_NAT interface GigabitEthernet0/0/0 overload
ip nat inside source list LOCAL interface Loopback0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 130.21.232.53
ip route 2.2.2.2 255.255.255.255 Null0
ip route 180.166.247.0 255.255.255.0 10.10.10.2
ip route 183.195.136.0 255.255.255.0 10.10.10.2
ip route 192.168.1.0 255.255.255.0 10.10.10.2
ip route 192.168.2.0 255.255.255.0 10.10.10.2
ip route 192.168.20.0 255.255.255.0 10.10.10.2
ip route 192.168.30.0 255.255.255.0 10.10.10.2
ip ssh version 1
!
ip access-list extended ACL_INTERNET_NAT
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.30.0 0.0.0.255 any
ip access-list extended LOCAL
permit ip 192.168.0.0 0.0.255.255 host 192.168.1.8
!
access-list 100 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 100 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 permit ip 192.168.30.0 0.0.0.255 any
!
route-map LOCAL permit 10
set interface Loopback0
!
control-plane
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password ise00chenc
transport input all
line vty 5 15
password ise00chenc
!
end

0 Helpful

paul driver
VIP
VIP

‎05-15-2020 03:16 AM

Hello
Try the following:

no ip route 2.2.2.2 255.255.255.255 Null0

interface Loopback0
no ip address 2.2.2.2 255.255.255.255
ip address 169.254.255.1 255.255.255.255

interface GigabitEthernet0/0/0
ip policy route-map LOCAL


interface GigabitEthernet0/0/1
no ip nat outside
ip nat inside
no ip policy route-map LOCAL


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card