How to do NAT reflection (NAT hairpin) on a Cisco 1800 router?

ken129gem · ‎09-12-2015

Hi,

I have a Cisco 1811 Integrated Services Router running Cisco IOS version 15.1(4)M10. There is a modem connected to FastEthernet0 and a few devices connected to the switchports (FastEthernet2-9). I used the following command to forward some services running on my local servers to the Internet:

ip nat inside source static tcp 10.0.0.15 22 interface FastEthernet0 22
ip nat inside source static tcp 10.0.0.20 80 interface FastEthernet0 80

I am able to access the servers with SSH and HTTP from the external Internet. However, since NAT reflection (NAT hairpin) is not enabled, I am unable to access it using the public IP address (provided by the ISP via DHCP) from within the local network. I've been reading a about methods such as NAT on a stick and NVI/Loopback, but none of the configuration examples have worked. I'm also aware of the split DNS method, but that will not work in my case because I have multiple servers on my network forwarding to different ports on the public IP address.

Any idea how I can get NAT reflection to work?

Thanks!

Peter Paluch · ‎09-13-2015

Hi Ken,

Personally, I believe that the Split DNS would be the best solution because it would put the router out of the way for internal communication. Especially if you expect the amounts of traffic between your internal hosts and servers to be significant, having the traffic go to router and then be forwarded back could potentially become a bottleneck. The 1811 is not exactly a throughput beast.

I understand that you use a single public address to represent different internal servers and services, and so having a single DNS name resolve to a single internal IP address will not solve your issue. The trick, however, would be to properly use different DNS names for different services, so that each service gets translated to a different IP address. So instead of having all servers and services internally represented by, say, server.example.com, you would have your SSH server represented by ssh.example.com and mapped to 10.0.0.15, HTTP server would be www.example.com and mapped to 10.0.0.20, etc. These names would be purely internal, they would not need to have their public counterparts in the public DNS view, and they would resolve to internal IP addresses. You would only need to properly configure your internal hosts to use proper unique names for individual services.

Would that work for you?

If not, I will gladly suggest a NAT based solution - but I would rather avoid it if possible, as the Split DNS solution appears to me to be superior, even if slightly more tedious to set up.

Best regards,
Peter

ken129gem · ‎09-13-2015

Hi Peter,

Thanks for your response.

That was my concern with using split DNS. I suppose we could setup different domain names for each service, but that would be kind of an annoyance. Externally, everyone would use example.com or www.example.com to access both HTTP and SSH, but internally, we would have to separately use www.example.com and ssh.example.com. This could create problems with some of our applications that resolve example.com for all of the services.

The amount of traffic going to/from the servers within the local network would be relatively insignificant. If the NAT solution works, I think it will be the ideal option.

ehs.rajabi1 · ‎09-13-2015

Hello Ken

Could you put a screenshot or a drawing of your network here? I'm a little confused. I guess I can solve it.

Peter Paluch · ‎09-13-2015

Hi,

What particular solution do you have in mind?

Best regards,
Peter

ken129gem · ‎09-13-2015

Hi,

Thanks for your response.

Here's a basic diagram of the situation:

             Internet
                 |
               Modem
                 |
                Fa0
  WAN: 1.2.3.4 (assigned by DHCP)
            Cisco 1811
           LAN: 10.0.0.1
   Fa2          Fa3         Fa4
    |            |           |
SSH Server  HTTP Server  Computer
10.0.0.15   10.0.0.20    10.0.0.50

I'd like to be able to access the HTTP server with the public IP address (1.2.3.4:80) from within the local network (such as the computer on 10.0.0.50). Same goes for the SSH server.

Any help is appreciated.

Peter Paluch · ‎09-14-2015

Hi Ken,

Okay, here's the NAT-based solution. I will make a few assumptions:

Fa0 is your WAN interface with a public IP address.
Vlan1 is your LAN SVI interface with a private IP address somewhere in the 10.0.0.0/8 range.
Additional loopback will be required; I will be using Loopback1 configured with 172.31.255.1/32, assuming that this address is not used in your network.
Any configuration shown below is assumed to be a complete reimplementation of your existing NAT so you will have to integrate it with your existing NAT implementation, simply skipping the lines you have already used. Some of the existing NAT implementation will need to be overriden, notably, the fact that currently, your Vlan1 interface is configured as ip nat inside but for this NAT hairpinning, it will need to be modified to ip nat outside

The configuration would then run as follows:

route-map PBR-Vlan1 permit 10
 set interface Loopback1
!
ip access-list extended ACL_HAIRPIN_NAT
 permit ip  10.0.0.0 0.255.255.255  host 10.0.0.15
 permit ip  10.0.0.0 0.255.255.255  host 10.0.0.20
 ! ... add other internal servers in the format:
 ! permit ip  10.0.0.0 0.255.255.255  host <internal server IP>
!
ip access-list extended ACL_INTERNET_NAT
 deny   ip 10.0.0.0 0.255.255.255  10.0.0.0 0.255.255.255
 permit ip 10.0.0.0 0.255.255.255  any
!
interface Loopback1
 ip address 172.31.255.1 255.255.255.255
 ip nat inside
!
interface Vlan1
 ip nat outside
 no ip redirects
 ip policy route-map PBR-Vlan1
!
ip nat inside source static tcp 10.0.0.15 22 interface FastEthernet0 22
ip nat inside source static tcp 10.0.0.20 80 interface FastEthernet0 22
ip nat inside source list ACL_INTERNET_NAT interface FastEthernet0 overload
ip nat inside source list ACL_HAIRPIN_NAT interface Loopback1 overload

Okay, how does this work? It is easier to split it into a couple of distinct scenarios.

Scenario 1: Packets going from internal clients to internet

Packets will arrive through the Vlan1 interface. As this interface is ip nat outside, the outside-to-inside translation on the destination address (inside global->inside local mapping) will be applied to these packets before routing. However, because the destination address is an address somewhere out in the internet which we have not touched anywhere in the static NAT configuration, nor it has been seen earlier as a source address passing any sequence of inside-outside interfaces so that a dynamic mapping defined with ip nat inside source list command would apply, nothing will happen at this point.
Packets are PBRed out the Loopback1 interface.
Packets are looped back and received by the Loopback1 interface which is an ip nat inside interface. From this moment, normal NAT operation can be assumed: Because the packets are outbound, they will be routed out Fa0 interface which is ip nat outside, and because they are explicitly permitted by the ACL_INTERNET_NAT ACL, they will be NATted to the address of the Fa0 interface (inside-to-outside translation of the source address) and sent to the internet. Subsequent packets will not be subject to the ACL as the translation entry in the NAT table for these packets (inside local->inside global) has already been created.
Returning packets will be received by Fa0 which is an ip nat outside interface. Thus, outside-to-inside translation on the destination address will be performed first (inside global->inside local), returning the proper inside address of the internal host back to the packet header. Then the packet will be routed to the internal host.

Scenario 2: Outside hosts communicating with internal servers exposed through port forwarding

A packet arrives from outside to the Fa0 interface. First, outside-to-inside translation on the destination address will be performed (inside global->inside local), inserting the proper destination IP address of the internal server into the packet. Then the packet is routed further, out the interface Vlan1.
After the server responds, its packet enters Vlan1. An outside-to-inside translation on the destination address is attempted (inside global->inside local) but this is again a public destination somewhere out in the internet for which there is no such mapping created, and so nothing will happen at this point.
Packet is PBRed out Loopback1.
Packet is received on Loopback1 which is an inside interface, gets routed, and because the destination is reachable via Fa0 which is an outside interface, inside local->inside global mapping on the source address applies which is configured statically, and so the packet's source will be translated to the server's public IP address and sent to the outside client.

Scenario 3: Internal clients talking to internal servers using their public IP

Packets from clients enter the Vlan1 interface. Being an outside interface, the inside global->inside local mapping on the destination address applies, causing the packets' public destination to be rewritten based on the static NAT entries to the internal addresses of the servers.
Packets are PBRed out Loopback1.
Packets are received on Loopback1. Being an inside interface and based on the packet's new destination, it is going to be routed out Vlan1 interface which is an outside interface. Therefore, based on the ACL_HAIRPIN_NAT ACL, the inside local->inside global mapping on the source address applies, and the packets' sources will be rewritten to the address of the Loopback1 interface thanks to the corresponding ip nat inside source list command. This is important to make sure that the responses from the internal servers are delivered back to the NAT router and not to the internal clients directly!
After the server responds, the reply is received on Vlan1. Because this is an outside interface, inside global->inside local translation on the destination address is attempted. The destination address in this case is the Loopback1 interface address, and the inside global->inside local translation will put the original internal client's IP address into the destination address field.
Packet is PBRed out Loopback1.
Packet is received on Loopback1. This is an inside interface and according to the destination address it shall be forwarded out Vlan1 interface that is an outside interface. Therefore, an inside local->inside global mapping on the source address is attempted which will rewrite the private address of the server into its public IP address.

It is quite convoluted but nonetheless workable.

Will you be so kind to try to implement this and let me know if it works for you?

Best regards,
Peter

ken129gem · ‎09-14-2015

Hi Peter,

Thank you for that thorough explanation. I understand the process much better now. I applied the commands you suggested, but now I am unable to access the Internet. Here's my full router configuration:

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1811W
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5 [Removed]
!
no aaa new-model
!
crypto pki token default removal timeout 0
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.100
!
ip dhcp pool DHCP-Pool
 network 10.0.0.0 255.255.255.0
 default-router 10.0.0.1
 dns-server 8.8.8.8 8.8.4.4
!
!
!
ip cef
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin password 7 [Removed]
!
!
ip ssh version 2
!
!
!
!
!
!
!
interface Loopback1
 ip address 172.31.255.1 255.255.255.255
 ip nat inside
 ip virtual-reassembly in
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basi.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface FastEthernet0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 no ip address
 spanning-tree portfast
!
interface FastEthernet4
 no ip address
 spanning-tree portfast
!
interface FastEthernet5
 no ip address
 spanning-tree portfast
!
interface FastEthernet6
 no ip address
 spanning-tree portfast
!
interface FastEthernet7
 no ip address
 spanning-tree portfast
!
interface FastEthernet8
 no ip address
 spanning-tree portfast
!
interface FastEthernet9
 no ip address
 spanning-tree portfast
!
interface Vlan1
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip nat outside
 ip virtual-reassembly in
 ip policy route-map PBR-Vlan1
!
interface Async1
 no ip address
 encapsulation slip
 shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 10.0.0.15 22 interface FastEthernet0 22
ip nat inside source static tcp 10.0.0.20 80 interface FastEthernet0 80
ip nat inside source list ACL_HAIRPIN_NAT interface Loopback1 overload
ip nat inside source list ACL_INTERNET_NAT interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list extended ACL_HAIRPIN_NAT
 permit ip 10.0.0.0 0.0.0.255 host 10.0.0.15
 permit ip 10.0.0.0 0.0.0.255 host 10.0.0.20
ip access-list extended ACL_INTERNET_NAT
 deny   ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
 permit ip 10.0.0.0 0.0.0.255 any
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
!
!
!
route-map PBR-Vlan1 permit 10
 set interface Loopback1
!
!
!
control-plane
!
!
!
line con 0
 login local
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login local
line vty 0 4
 access-class 1 in
 login local
 transport input ssh
line vty 5 193
 access-class 1 in
 login local
 transport input ssh
!
ntp update-calendar
ntp server 1.pool.ntp.org
ntp server 2.pool.ntp.org
ntp server 3.pool.ntp.org
ntp server 0.pool.ntp.org
end

Note that I changed the wildcard bits in your commands from 0.255.255.255 to 0.0.0.255 since the network is only 10.0.0.0/24 not 10.0.0.0/8.

Any idea what is causing the Internet access problem?

Thanks.

Peter Paluch · ‎09-14-2015

Hi Ken,

Please remove the following command from your configuration, as it is superseded by another NAT-related commands, and let me know if it helps:

ip nat inside source list 1 interface FastEthernet0 overload

Note that I changed the wildcard bits in your commands from 0.255.255.255 to 0.0.0.255 since the network is only 10.0.0.0/24 not 10.0.0.0/8.

That's perfectly okay.

Best regards,
Peter

Peter Paluch · ‎09-14-2015

Hi Ken,

Hmmm - I have tested this configuration on 12.4T IOSes and it worked flawlessly. However, for 15.x IOSes, there seem to have been some changes to the PBR process as far as I can tell from the debugs, and on these IOSes, the configuration truly does not work. Oh, there's nothing like backward compatibility, is it? :)

If possible please revert my changes for now to get your internet access back. I will be looking into creating a replacement configuration but it will take a couple of hours at least.

Best regards,
Peter

ken129gem · ‎09-14-2015

Hi Peter,

I removed the "FastEthernet0 overload" line from the configuration, but that did not resolve the problem. Reverting the changes did restore my Internet connection.

Thanks for all of your assistance so far. I look forward to trying the replacement configuration once you create it.

Peter Paluch · ‎09-21-2015

Hi Ken,

I am sorry this response took so long. The last week has been very busy and I had to focus on tasks at hand.

Okay, so, definitely, starting with very recent 12.4T and 15.x IOSes, the PBR approach for the NAT hairpinning no longer works. The configuration shown above would work only for older 12.4T IOSes and their predecessors (I've tested it on 12.4(15)T13 where the PBR-based approach works but any newer IOS after that should be considered as not suitable for the PBR-based style).

It seems, however, that this task should in fact be solvable using the newer NVI style of NAT configuration, and that the configuration will in fact be very simple. In order for me to provide you with the most direct configuration changes, may I ask you to post your current working configuration (in which the NAT hairpinning is not implemented yet)? I will make sure to respond within an hour or two after getting your current configuration.

Thanks!

Best regards,
Peter

ken129gem · ‎09-21-2015

Hi Peter,

No problem. Here's my current configuration (with no hairpinning):

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1811W
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5 [Removed]
!
no aaa new-model
!
clock timezone EST -5 0
clock summer-time EDT recurring
crypto pki token default removal timeout 0
!         
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.100
!
ip dhcp pool DHCP-Pool
 network 10.0.0.0 255.255.255.0
 default-router 10.0.0.1 
 dns-server 8.8.8.8 8.8.4.4 
!
!
!
ip cef
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin secret 5 [Removed]
!
!
ip ssh version 2
! 
!
!
!
!
!
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface FastEthernet0
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 no ip address
 spanning-tree portfast
!
interface FastEthernet4
 no ip address
 spanning-tree portfast
!
interface FastEthernet5
 no ip address
 spanning-tree portfast
!
interface FastEthernet6
 no ip address
 spanning-tree portfast
!
interface FastEthernet7
 no ip address
 spanning-tree portfast
!
interface FastEthernet8
 no ip address
 spanning-tree portfast
!
interface FastEthernet9
 no ip address
 spanning-tree portfast
!
interface Vlan1
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
!
interface Async1
 no ip address
 encapsulation slip
 shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 10.0.0.15 22 interface FastEthernet0 22
ip nat inside source static tcp 10.0.0.20 80 interface FastEthernet0 80
ip route 0.0.0.0 0.0.0.0 dhcp
!
access-list 1 permit 10.0.0.0 0.0.0.255
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
line con 0
 login local
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login local
line vty 0 4
 access-class 1 in
 login local
 transport input ssh
line vty 5 193
 access-class 1 in
 login local
 transport input ssh
!
ntp update-calendar
ntp server 0.pool.ntp.org
ntp server 1.pool.ntp.org
ntp server 2.pool.ntp.org
ntp server 3.pool.ntp.org
end

Peter Paluch · ‎09-21-2015

Hi Ken,

Thanks for the configuration and your patience.

Please back up your current configuration in the case you will need to revert to it, and then please enter the following commands:

no ip nat inside source list 1 interface FastEthernet0 overload
!!! Router may prompt you to enter 'yes' at this point

no ip nat inside source static tcp 10.0.0.15 22 interface FastEthernet0 22
!!! Router may prompt you to enter 'yes' at this point

no ip nat inside source static tcp 10.0.0.20 80 interface FastEthernet0 80
!!! Router may prompt you to enter 'yes' at this point

interface FastEthernet0
 no ip nat outside
 no ip redirects
 ip nat enable
!
interface Vlan1
 no ip nat inside
 no ip redirects
 ip nat enable
!
ip access-list extended NAT
 permit ip 10.0.0.0 0.0.0.255 any
!
ip nat source static tcp 10.0.0.15 22 interface FastEthernet0 22
ip nat source static tcp 10.0.0.20 80 interface FastEthernet0 80
ip nat source list NAT interface FastEthernet0 overload
!
end

This configuration is built using the new-style of so-called NVI NAT configuration in which interfaces are no longer designated as inside or outside but they are merely enabled for NAT operations. Any packet that either meets the ACL or for which the NAT translation entry exists in the NAT table will be NATted accordingly.

Please be cautious that none of these commands uses the inside keyword, and this is intentional. Also, to verify this kind of NAT operation, you need to use the show ip nat nvi translation or show ip nat nvi statistics instead of their shorter counterparts that lack the nvi keyword.

Please give this a try and let me know if it worked for you. I am very eager to see if this finally solves your issue.

Best regards,
Peter

blandekic · ‎09-22-2015

Why are you combining a list and static configurations? What is the purpose of the static entries if the NAT ACL covers those same subnets?