Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
249
Views
0
Helpful
4
Replies

How to configure Hairpin or loopback NAT

dudefoxlive
Level 1
Level 1

‎03-06-2025 11:28 AM

I am trying to figure out how to get our cpanel server to access itself from its public IP instead of its internal IP. cpanel keeps complaining when autossl trys to renew the certs because its returning its private/internal IP instead of the external IP. We are running a cisco 1941 series router on iOS 15.5(3). Here is a copy the config. Not sure how I need to change it to make this work. our cpanel server is on IP address 172.16.250.10. cpanel says we need to configure hairpin nat or loopback nat.

!
version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname HOST_NAME
!
boot-start-marker
boot system flash c1900-universalk9-mz.SPA.155-3.M.bin
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 8
logging console critical
enable secret 5 SECRET_PASS
enable password 7 PASSWORD
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clocl timezone EDT -5 0
!
!
!
!
!
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
no ip bootp server
ip cef
login block-for 300 attempts 3 within 60
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1941/K9 sn SERIAL_NUMBER
!
!
archive
 log config
  logging enable
username instructor password 7 PASSWORD
!
redundancy
!
no cdp run
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 no mop enabled
!
interface GigabitEthernet0/0
 description
 Outside Interface to LRC
 ip address PUBLIC_IP1 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast source reachable-via rx allow-default 100
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description Inside interface to classroom
 ip address 172.16.0.1 255.255.0.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static udp 172.16.104.120 51820 PUBLIC_IP1 51820 extendable
ip nat inside source static 172.16.250.10 PUBLIC_IP2 extendable
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
logging trap debugging
logging facility local2
!
!
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 100 permit udp any any eq bootpc
!
!
!
control-plane
!
!
banner motd ^Cmessage of the day^C
!
line con 0
 logging synchronous
 login authentication local_auth
 transport output telnet
line aux 0
 access-class ls_def_acl in
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line 2
 access-class ls_def_acl in
 exec-timeout 15 0
 login authentication local_auth
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class sl_def_acl in
 exec-timeout 5 0
 login authentication local_auth
 transport input telnet
!
scheduler allocate 20000 1000
no ntp allow mode control 3
ntp server 172.16.104.125
!
end

 

Labels:
0 Helpful
4 Replies 4

liviu.gheorghe
VIP
VIP

‎03-06-2025 12:16 PM

Hello @dudefoxlive ,

take a look at this thread https://community.cisco.com/t5/routing/nat-hairpinning/td-p/2475807

HTH

Regards, LG
*** Please Rate All Helpful Responses ***
0 Helpful

dudefoxlive
Level 1
Level 1
In response to liviu.gheorghe

‎03-06-2025 01:18 PM

I am new to this so I am learning as I go. I am confused by this. Could you provide an explanation as to what each line is doing? I don't know which is internal lan and external wan in the example nor do I understand what the ip address 192.0.2.1 255.255.255.0 secondary is.

 

0 Helpful

liviu.gheorghe
VIP
VIP
In response to dudefoxlive

‎03-06-2025 03:58 PM

I understand and in this case I would suggest taking a look at the CCNA certification https://www.cisco.com/site/us/en/learn/training-certifications/certifications/enterprise/ccna/index.html#tabs-35d568e0ff-item-194f491212-tab

which will teach you the basics of networking starting with IP addressing, switching, routing, Network Address Translation (NAT) and many more technologies used in todays communication infrastructure world.

HTH

Regards, LG
*** Please Rate All Helpful Responses ***
0 Helpful

danielbrown8998
Level 1
Level 1

‎03-06-2025 05:44 PM

  1. Modify NAT Rules to Allow Internal Access via Public IP
    Add the following rule to enable hairpin NAT:

    shell
    CopyEdit
    ip nat inside source static 172.16.250.10 PUBLIC_IP2 extendable ip nat outside source static PUBLIC_IP2 172.16.250.10 extendable
    Ensure NAT Reflection is Enabled
    This allows internal hosts to resolve the public IP properly.

    Adjust ACLs if Necessary
    If you have restrictive access lists, make sure they permit traffic from the internal subnet to the public IP.

    Flush NAT Translations (If Needed)
    After applying the changes, clear existing NAT translations:

    shell
    CopyEdit
    clear ip nat translation *
    Now, when your cPanel server tries to reach itself using its public IP, the router will properly redirect the request. For a more in-depth guide, check Cisco's official NAT documentation.

0 Helpful
Customers Also Viewed These Support Documents