09-12-2015 07:59 PM - edited 03-05-2019 02:17 AM
Hi,
I have a Cisco 1811 Integrated Services Router running Cisco IOS version 15.1(4)M10. There is a modem connected to FastEthernet0 and a few devices connected to the switchports (FastEthernet2-9). I used the following command to forward some services running on my local servers to the Internet:
ip nat inside source static tcp 10.0.0.15 22 interface FastEthernet0 22 ip nat inside source static tcp 10.0.0.20 80 interface FastEthernet0 80
I am able to access the servers with SSH and HTTP from the external Internet. However, since NAT reflection (NAT hairpin) is not enabled, I am unable to access it using the public IP address (provided by the ISP via DHCP) from within the local network. I've been reading a about methods such as NAT on a stick and NVI/Loopback, but none of the configuration examples have worked. I'm also aware of the split DNS method, but that will not work in my case because I have multiple servers on my network forwarding to different ports on the public IP address.
Any idea how I can get NAT reflection to work?
Thanks!
09-13-2015 01:22 AM
Hi Ken,
Personally, I believe that the Split DNS would be the best solution because it would put the router out of the way for internal communication. Especially if you expect the amounts of traffic between your internal hosts and servers to be significant, having the traffic go to router and then be forwarded back could potentially become a bottleneck. The 1811 is not exactly a throughput beast.
I understand that you use a single public address to represent different internal servers and services, and so having a single DNS name resolve to a single internal IP address will not solve your issue. The trick, however, would be to properly use different DNS names for different services, so that each service gets translated to a different IP address. So instead of having all servers and services internally represented by, say, server.example.com, you would have your SSH server represented by ssh.example.com and mapped to 10.0.0.15, HTTP server would be www.example.com and mapped to 10.0.0.20, etc. These names would be purely internal, they would not need to have their public counterparts in the public DNS view, and they would resolve to internal IP addresses. You would only need to properly configure your internal hosts to use proper unique names for individual services.
Would that work for you?
If not, I will gladly suggest a NAT based solution - but I would rather avoid it if possible, as the Split DNS solution appears to me to be superior, even if slightly more tedious to set up.
Best regards,
Peter
09-13-2015 06:45 AM
Hi Peter,
Thanks for your response.
That was my concern with using split DNS. I suppose we could setup different domain names for each service, but that would be kind of an annoyance. Externally, everyone would use example.com or www.example.com to access both HTTP and SSH, but internally, we would have to separately use www.example.com and ssh.example.com. This could create problems with some of our applications that resolve example.com for all of the services.
The amount of traffic going to/from the servers within the local network would be relatively insignificant. If the NAT solution works, I think it will be the ideal option.
09-13-2015 01:36 AM
Hello Ken
Could you put a screenshot or a drawing of your network here? I'm a little confused. I guess I can solve it.
09-13-2015 01:59 AM
Hi,
What particular solution do you have in mind?
Best regards,
Peter
09-13-2015 06:59 AM
Hi,
Thanks for your response.
Here's a basic diagram of the situation:
Internet | Modem | Fa0 WAN: 1.2.3.4 (assigned by DHCP) Cisco 1811 LAN: 10.0.0.1 Fa2 Fa3 Fa4 | | | SSH Server HTTP Server Computer 10.0.0.15 10.0.0.20 10.0.0.50
I'd like to be able to access the HTTP server with the public IP address (1.2.3.4:80) from within the local network (such as the computer on 10.0.0.50). Same goes for the SSH server.
Any help is appreciated.
09-14-2015 05:13 AM
Hi Ken,
Okay, here's the NAT-based solution. I will make a few assumptions:
The configuration would then run as follows:
route-map PBR-Vlan1 permit 10 set interface Loopback1 ! ip access-list extended ACL_HAIRPIN_NAT permit ip 10.0.0.0 0.255.255.255 host 10.0.0.15 permit ip 10.0.0.0 0.255.255.255 host 10.0.0.20 ! ... add other internal servers in the format: ! permit ip 10.0.0.0 0.255.255.255 host <internal server IP> ! ip access-list extended ACL_INTERNET_NAT deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 permit ip 10.0.0.0 0.255.255.255 any ! interface Loopback1 ip address 172.31.255.1 255.255.255.255 ip nat inside ! interface Vlan1 ip nat outside no ip redirects ip policy route-map PBR-Vlan1 ! ip nat inside source static tcp 10.0.0.15 22 interface FastEthernet0 22 ip nat inside source static tcp 10.0.0.20 80 interface FastEthernet0 22 ip nat inside source list ACL_INTERNET_NAT interface FastEthernet0 overload ip nat inside source list ACL_HAIRPIN_NAT interface Loopback1 overload
Okay, how does this work? It is easier to split it into a couple of distinct scenarios.
Scenario 1: Packets going from internal clients to internet
Scenario 2: Outside hosts communicating with internal servers exposed through port forwarding
Scenario 3: Internal clients talking to internal servers using their public IP
It is quite convoluted but nonetheless workable.
Will you be so kind to try to implement this and let me know if it works for you?
Best regards,
Peter
09-14-2015 01:27 PM
Hi Peter,
Thank you for that thorough explanation. I understand the process much better now. I applied the commands you suggested, but now I am unable to access the Internet. Here's my full router configuration:
version 15.1 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname 1811W ! boot-start-marker boot-end-marker ! ! no logging console enable secret 5 [Removed] ! no aaa new-model ! crypto pki token default removal timeout 0 ! dot11 syslog ip source-route ! ! ip dhcp excluded-address 10.0.0.1 10.0.0.100 ! ip dhcp pool DHCP-Pool network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 dns-server 8.8.8.8 8.8.4.4 ! ! ! ip cef ip name-server 8.8.8.8 ip name-server 8.8.4.4 no ipv6 cef ! multilink bundle-name authenticated ! ! ! username admin password 7 [Removed] ! ! ip ssh version 2 ! ! ! ! ! ! ! interface Loopback1 ip address 172.31.255.1 255.255.255.255 ip nat inside ip virtual-reassembly in ! interface Dot11Radio0 no ip address shutdown speed basic-1.0 basi.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root ! interface Dot11Radio1 no ip address shutdown speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root ! interface FastEthernet0 ip address dhcp ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface FastEthernet1 no ip address shutdown duplex auto speed auto ! interface FastEthernet2 no ip address spanning-tree portfast ! interface FastEthernet3 no ip address spanning-tree portfast ! interface FastEthernet4 no ip address spanning-tree portfast ! interface FastEthernet5 no ip address spanning-tree portfast ! interface FastEthernet6 no ip address spanning-tree portfast ! interface FastEthernet7 no ip address spanning-tree portfast ! interface FastEthernet8 no ip address spanning-tree portfast ! interface FastEthernet9 no ip address spanning-tree portfast ! interface Vlan1 ip address 10.0.0.1 255.255.255.0 no ip redirects ip nat outside ip virtual-reassembly in ip policy route-map PBR-Vlan1 ! interface Async1 no ip address encapsulation slip shutdown ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source list 1 interface FastEthernet0 overload ip nat inside source static tcp 10.0.0.15 22 interface FastEthernet0 22 ip nat inside source static tcp 10.0.0.20 80 interface FastEthernet0 80 ip nat inside source list ACL_HAIRPIN_NAT interface Loopback1 overload ip nat inside source list ACL_INTERNET_NAT interface FastEthernet0 overload ip route 0.0.0.0 0.0.0.0 dhcp ! ip access-list extended ACL_HAIRPIN_NAT permit ip 10.0.0.0 0.0.0.255 host 10.0.0.15 permit ip 10.0.0.0 0.0.0.255 host 10.0.0.20 ip access-list extended ACL_INTERNET_NAT deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255 permit ip 10.0.0.0 0.0.0.255 any ! access-list 1 permit 10.0.0.0 0.0.0.255 ! ! ! ! route-map PBR-Vlan1 permit 10 set interface Loopback1 ! ! ! control-plane ! ! ! line con 0 login local line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 login local line vty 0 4 access-class 1 in login local transport input ssh line vty 5 193 access-class 1 in login local transport input ssh ! ntp update-calendar ntp server 1.pool.ntp.org ntp server 2.pool.ntp.org ntp server 3.pool.ntp.org ntp server 0.pool.ntp.org end
Note that I changed the wildcard bits in your commands from 0.255.255.255 to 0.0.0.255 since the network is only 10.0.0.0/24 not 10.0.0.0/8.
Any idea what is causing the Internet access problem?
Thanks.
09-14-2015 01:27 PM
Hi Ken,
Please remove the following command from your configuration, as it is superseded by another NAT-related commands, and let me know if it helps:
ip nat inside source list 1 interface FastEthernet0 overload
Note that I changed the wildcard bits in your commands from 0.255.255.255 to 0.0.0.255 since the network is only 10.0.0.0/24 not 10.0.0.0/8.
That's perfectly okay.
Best regards,
Peter
09-14-2015 02:15 PM
Hi Ken,
Hmmm - I have tested this configuration on 12.4T IOSes and it worked flawlessly. However, for 15.x IOSes, there seem to have been some changes to the PBR process as far as I can tell from the debugs, and on these IOSes, the configuration truly does not work. Oh, there's nothing like backward compatibility, is it? :)
If possible please revert my changes for now to get your internet access back. I will be looking into creating a replacement configuration but it will take a couple of hours at least.
Best regards,
Peter
09-14-2015 02:56 PM
Hi Peter,
I removed the "FastEthernet0 overload" line from the configuration, but that did not resolve the problem. Reverting the changes did restore my Internet connection.
Thanks for all of your assistance so far. I look forward to trying the replacement configuration once you create it.
09-21-2015 04:40 AM
Hi Ken,
I am sorry this response took so long. The last week has been very busy and I had to focus on tasks at hand.
Okay, so, definitely, starting with very recent 12.4T and 15.x IOSes, the PBR approach for the NAT hairpinning no longer works. The configuration shown above would work only for older 12.4T IOSes and their predecessors (I've tested it on 12.4(15)T13 where the PBR-based approach works but any newer IOS after that should be considered as not suitable for the PBR-based style).
It seems, however, that this task should in fact be solvable using the newer NVI style of NAT configuration, and that the configuration will in fact be very simple. In order for me to provide you with the most direct configuration changes, may I ask you to post your current working configuration (in which the NAT hairpinning is not implemented yet)? I will make sure to respond within an hour or two after getting your current configuration.
Thanks!
Best regards,
Peter
09-21-2015 11:56 AM
Hi Peter,
No problem. Here's my current configuration (with no hairpinning):
version 15.1 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname 1811W ! boot-start-marker boot-end-marker ! ! no logging console enable secret 5 [Removed] ! no aaa new-model ! clock timezone EST -5 0 clock summer-time EDT recurring crypto pki token default removal timeout 0 ! ! dot11 syslog ip source-route ! ! ip dhcp excluded-address 10.0.0.1 10.0.0.100 ! ip dhcp pool DHCP-Pool network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 dns-server 8.8.8.8 8.8.4.4 ! ! ! ip cef ip name-server 8.8.8.8 ip name-server 8.8.4.4 no ipv6 cef ! multilink bundle-name authenticated ! ! ! username admin secret 5 [Removed] ! ! ip ssh version 2 ! ! ! ! ! ! ! interface Dot11Radio0 no ip address shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root ! interface Dot11Radio1 no ip address shutdown speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root ! interface FastEthernet0 ip address dhcp no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface FastEthernet1 no ip address shutdown duplex auto speed auto ! interface FastEthernet2 no ip address spanning-tree portfast ! interface FastEthernet3 no ip address spanning-tree portfast ! interface FastEthernet4 no ip address spanning-tree portfast ! interface FastEthernet5 no ip address spanning-tree portfast ! interface FastEthernet6 no ip address spanning-tree portfast ! interface FastEthernet7 no ip address spanning-tree portfast ! interface FastEthernet8 no ip address spanning-tree portfast ! interface FastEthernet9 no ip address spanning-tree portfast ! interface Vlan1 ip address 10.0.0.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly in ! interface Async1 no ip address encapsulation slip shutdown ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source list 1 interface FastEthernet0 overload ip nat inside source static tcp 10.0.0.15 22 interface FastEthernet0 22 ip nat inside source static tcp 10.0.0.20 80 interface FastEthernet0 80 ip route 0.0.0.0 0.0.0.0 dhcp ! access-list 1 permit 10.0.0.0 0.0.0.255 no cdp run ! ! ! ! ! ! control-plane ! ! ! line con 0 login local line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 login local line vty 0 4 access-class 1 in login local transport input ssh line vty 5 193 access-class 1 in login local transport input ssh ! ntp update-calendar ntp server 0.pool.ntp.org ntp server 1.pool.ntp.org ntp server 2.pool.ntp.org ntp server 3.pool.ntp.org end
09-21-2015 02:19 PM
Hi Ken,
Thanks for the configuration and your patience.
Please back up your current configuration in the case you will need to revert to it, and then please enter the following commands:
no ip nat inside source list 1 interface FastEthernet0 overload !!! Router may prompt you to enter 'yes' at this point no ip nat inside source static tcp 10.0.0.15 22 interface FastEthernet0 22 !!! Router may prompt you to enter 'yes' at this point no ip nat inside source static tcp 10.0.0.20 80 interface FastEthernet0 80 !!! Router may prompt you to enter 'yes' at this point interface FastEthernet0 no ip nat outside no ip redirects ip nat enable ! interface Vlan1 no ip nat inside no ip redirects ip nat enable ! ip access-list extended NAT permit ip 10.0.0.0 0.0.0.255 any ! ip nat source static tcp 10.0.0.15 22 interface FastEthernet0 22 ip nat source static tcp 10.0.0.20 80 interface FastEthernet0 80 ip nat source list NAT interface FastEthernet0 overload ! end
This configuration is built using the new-style of so-called NVI NAT configuration in which interfaces are no longer designated as inside or outside but they are merely enabled for NAT operations. Any packet that either meets the ACL or for which the NAT translation entry exists in the NAT table will be NATted accordingly.
Please be cautious that none of these commands uses the inside keyword, and this is intentional. Also, to verify this kind of NAT operation, you need to use the show ip nat nvi translation or show ip nat nvi statistics instead of their shorter counterparts that lack the nvi keyword.
Please give this a try and let me know if it worked for you. I am very eager to see if this finally solves your issue.
Best regards,
Peter
09-22-2015 08:18 AM
Why are you combining a list and static configurations? What is the purpose of the static entries if the NAT ACL covers those same subnets?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide