Re: how to hairpin an external ip-port

ino · ‎08-16-2021

hi

can some one give me a brief example on how to achieve the following:

i have an lte connection to the outside on which i have forwarded a bunch of ports i have an application running on one of my internal host 10.0.0.10 on port 443 i cant change the port in the application and i dont want port 443 open on the outside

the port is forwarded and reachable from the outside on port 4555

ip nat inside source static tcp 10.0.0.10 443 interface Cellular0/2/0 4555

what i need is to be abele to reach the host from the inside on the same port as from the outside

so the current situation is

www 221.33.23.12 --> isp 123.123.123.123:4555 --> router magic --> 10.0.0.1:443

inside other client 10.0.0.32 -> 10.0.0.10:4555 --> dead end

calling port 443 works but i need to reach the host on the same port as from the outside

it is an IOS XE (16.09) router

thx in advance

cheers rick

Georg Pauwen · ‎08-16-2021

Hello,

interesting problem. Usually, NAT hairpinning should be configured, but I am not sure if it works with differenr ports.

Can you post the full running config (sh run) ?

ino · ‎08-16-2021

there is so much in it what i dont want to make public (external ports, dhcp host names ...)

it would take me quiet a bit to redact all that.

i also have no direct access to it in the moment just over a idrac virtual console from where i cant copy paste

but i dont think there is anything relevant / needed in it anyway

Georg Pauwen · ‎08-16-2021

Hello,

I understand, no problem. I'll try and come up with something generic that you can then apply to your router config...

ino · ‎08-16-2021

i would greatly appreciate that

thx in advance

Georg Pauwen · ‎08-16-2021

Hello,

sorry for the delay. The below is what I have come up with. I have made a couple of assumptions (which you can obviously change if necessary):

1. Your internal network is 10.0.0.0/24

2. Your LAN interface is GigabitEthernet1/0

interface Loopback1
description NAT-HAIRPIN
ip address 169.254.1.1 255.255.255.255
ip nat inside
!
route-map PBR-HAIRPIN permit 10
set interface Loopback1
!
ip access-list extended ACL-HAIRPIN
permit ip 10.0.0.0 0.0.0.255 host 10.0.0.10
!
ip access-list extended ACL-NAT
deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
!
interface Cellular0/2/0
ip nat outside
!
interface GigabitEthernet1/0
description LAN
ip address 10.0.0.1 255.255.255.0
ip nat outside
ip policy route-map PBR-HAIRPIN
!
ip nat inside source list ACL-NAT interface GigabitEthernet1/0 overload
ip nat inside source list ACL-HAIRPIN interface Loopback1 overload
ip nat inside source static tcp 10.0.0.10 443 interface Cellular0/2/0 4555

ino · ‎08-16-2021

sorry my mistake that i haven gave enough info really sorry

i have no ip's on the physical interfaces but vlans the host is on a c2960x which is connected to the router on a trunk whit multiple vlans

and i need to reach the internet from the vlan the host is in

so i cant set that to "ip nat outside"

the router has 4 switch ports from which i could spar 1 at most if i really need to and 2 wan ports which i dont use

so in the end i could implement the above solution

hmm or not.

can i still reach 10.0.0.10 from inside hosts? or do i need to use the external ip

10.0.0.11 needs to be able to reach 10.0.0.10:9876 there is no way around this my external ip is dynamic

and the host needs to be reachable on a static ip

thank you so fare and sorry for not enough info

tomorrow i will try to post "sh run" from the router and switch

one more thing to make things more complicated

if i understand it right if all goes well i will be able to reach it from the inside on the outside ip on port 4555

is there any way to reach it from an inside ip?

10.0.0.10:4555 - router - 10.0.0.10:443

172.16.0.1:4555 - router - 10.0.0.10:443

cheers rick

Georg Pauwen · ‎08-16-2021

Hello,

as you already stated, the switch does not support NAT, so the hairpinning I suggested won't work anyway. Not sure if what you want is possible at all using a layer 3 switch (the 2960X)...I'll need to research this...will get back with you.

ino · ‎08-17-2021

here are the configs

the router has 4 switch ports and 2 wan ports

the router is connected to the switch with a trunk

the host in question is plugged in to the switch

i need to reach it on 10.0.0.10 from every where on the lan (from the router switch ports and from the 2960 switch)

or at least on a internal static ip (my external internet facing is dynamic)

i have other apps running which connect to ip addresses and cant use dns names

if really needed i could plug the host in question in to a wan port on the router

the reason for all the effort is

i am using chrome on my workstation at home and on my laptop on the road

the bookmarks are synchronized

as mentioned i cant alter the port of the app and i dont want port 443 facing the internet

so my bookmark which work fine on my workstation domain.com:443 wont work on my laptop (i am using an internal dns server)

or vice versa domain.com:4555 will not work on my workstation

so its not a question of life or dead but still getting it to work would be great

if you see some gross mistake in my current config dont hesitate to mention it

thank you for your help and time

router cisco C1111-4PLTEEA c1100-universalk9_ias.16.09.06.SPA.bin
!
vtp mode transparent
!
multilink bundle-name authenticated
!
diagnostic bootup level minimal
!
spanning-tree extend system-id

et-analytics
!
controller Cellular 0/2/0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
vlan internal allocation policy ascending
!
vlan 7,172-175,200
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
ntp broadcast
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/1/1
switchport trunk allowed vlan 1,7,172-175
switchport mode trunk
!
interface GigabitEthernet0/1/2
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/1/3
switchport access vlan 7
switchport mode access
!
interface Cellular0/2/0
ip address negotiated
ip nat outside
dialer in-band
dialer watch-group 1
pulse-time 1
!
interface Cellular0/2/1
no ip address
shutdown
!
interface Vlan1
no ip address
ip nat inside
!
interface Vlan7
ip address 192.168.0.1 255.255.255.0 secondary
ip address 10.0.0.1 255.255.255.0
ip nat inside
!
interface Vlan172
ip address 172.16.0.1 255.255.255.0
ip nat inside
!
interface Vlan173
ip address 172.16.1.1 255.255.255.0
ip nat inside
!
interface Vlan174
ip address 172.16.2.1 255.255.255.0
ip nat inside
!
interface Vlan175
ip address 172.16.3.1 255.255.255.0
ip nat inside
!
router rip
network 10.0.0.0
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat inside source static tcp 10.0.0.10 443 interface Cellular0/2/0 4555
****************much more but redacted******************************
ip nat inside source list NAT interface Cellular0/2/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
ip ssh version 2
ip ssh client algorithm encryption aes192-cbc
!
!
ip access-list extended NAT
permit ip 10.0.0.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
permit ip 172.16.0.0 0.0.0.255 any
permit ip 172.16.1.0 0.0.0.255 any
permit ip 172.16.2.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip 172.16.3.0 0.0.0.255 any
!
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 192.160.0.0 0.15.255.255
dialer watch-list 1 ip 8.8.8.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
!
!
snmp-server group GrpMonitoring v3 priv read ViewDefault
snmp-server view ViewDefault iso included
!
!
control-plane
!
!
line con 0
exec-timeout 30 0
password 7 ********
logging synchronous
login
length 50
transport input none
stopbits 1
line vty 0 4
access-class LogIn in
exec-timeout 30 0
login local
length 50
transport input ssh
!
ntp access-group serve-only 1
ntp master
ntp server 0.europe.pool.ntp.org
!
!
!
!
!

---------------------------------------------------------

switch cisco WS-C2960X-24TS-L c2960x-universalk9-mz.152-4.E9.bin

!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2960x
!
boot-start-marker
boot-end-marker
!
enable secret 5 ******
!
username ino secret 5 *******
no aaa new-model
clock timezone gmt 2 0
switch 1 provision ws-c2960x-24ts-l
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0
no ip address
!
interface GigabitEthernet1/0/1
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet1/0/3
description Trunk
switchport trunk allowed vlan 1,7,172-175
switchport mode trunk
!
interface GigabitEthernet1/0/4
switchport mode access
!
interface GigabitEthernet1/0/5
switchport mode access
!
interface GigabitEthernet1/0/6
switchport mode access
!
interface GigabitEthernet1/0/7
switchport mode access
!
interface GigabitEthernet1/0/8
switchport mode access
!
interface GigabitEthernet1/0/9
switchport mode access
!
interface GigabitEthernet1/0/10
description H36
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet1/0/11
switchport mode access
!
interface GigabitEthernet1/0/12
description HSwitch
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet1/0/13
description Ra b1
switchport access vlan 172
switchport mode access
!
interface GigabitEthernet1/0/14
switchport mode access
!
interface GigabitEthernet1/0/15
description Ra b2
switchport access vlan 173
switchport mode access
!
interface GigabitEthernet1/0/16
switchport mode access
!
interface GigabitEthernet1/0/17
switchport access vlan 174
switchport mode access
!
interface GigabitEthernet1/0/18
switchport mode access
!
interface GigabitEthernet1/0/19
switchport access vlan 175
switchport mode access
!
interface GigabitEthernet1/0/20
switchport mode access
!
interface GigabitEthernet1/0/21
switchport mode access
!
interface GigabitEthernet1/0/22
switchport mode access
ip verify source
!
interface GigabitEthernet1/0/23
switchport mode access
!
interface GigabitEthernet1/0/24
switchport mode access
!
interface GigabitEthernet1/0/25
switchport mode access
!
interface GigabitEthernet1/0/26
switchport mode access
!
interface GigabitEthernet1/0/27
switchport mode access
!
interface GigabitEthernet1/0/28
switchport mode access
!
interface Vlan1
no ip address
!
interface Vlan7
ip address 10.0.0.2 255.255.255.0
!
interface Vlan172
ip address 172.16.0.2 255.255.255.0
!
interface Vlan173
ip address 172.16.1.2 255.255.255.0
!
interface Vlan174
ip address 172.16.2.2 255.255.255.0
!
interface Vlan175
ip address 172.16.3.2 255.255.255.0
!
ip default-gateway 10.0.0.1
!
ip http server
ip http secure-server
!
!
snmp-server group GrpMonitoring v3 priv read ViewDefault
snmp-server view ViewDefault iso included
!
line con 0
exec-timeout 30 0
logging synchronous
login local
line vty 0 4
exec-timeout 30 0
logging synchronous
login local
transport input ssh
line vty 5 15
login
!
ntp server 10.1.1.1
!
end

P.S i know the vlans arent necessary in their current form just preparing for the future

cheers rick