ā08-16-2021 07:35 AM
hi
can some one give me a brief example on how to achieve the following:
i have an lte connection to the outside on which i have forwarded a bunch of ports i have an application running on one of my internal host 10.0.0.10 on port 443 i cant change the port in the application and i dont want port 443 open on the outside
the port is forwarded and reachable from the outside on port 4555
ip nat inside source static tcp 10.0.0.10 443 interface Cellular0/2/0 4555
what i need is to be abele to reach the host from the inside on the same port as from the outside
so the current situation is
www 221.33.23.12 --> isp 123.123.123.123:4555 --> router magic --> 10.0.0.1:443
inside other client 10.0.0.32 -> 10.0.0.10:4555 --> dead end
calling port 443 works but i need to reach the host on the same port as from the outside
it is an IOS XE (16.09) router
thx in advance
cheers rick
ā08-16-2021 08:04 AM
Hello,
interesting problem. Usually, NAT hairpinning should be configured, but I am not sure if it works with differenr ports.
Can you post the full running config (sh run) ?
ā08-16-2021 08:29 AM
there is so much in it what i dont want to make public (external ports, dhcp host names ...)
it would take me quiet a bit to redact all that.
i also have no direct access to it in the moment just over a idrac virtual console from where i cant copy paste
but i dont think there is anything relevant / needed in it anyway
ā08-16-2021 09:51 AM
Hello,
I understand, no problem. I'll try and come up with something generic that you can then apply to your router config...
ā08-16-2021 10:37 AM
i would greatly appreciate that
thx in advance
ā08-16-2021 02:57 PM
Hello,
sorry for the delay. The below is what I have come up with. I have made a couple of assumptions (which you can obviously change if necessary):
1. Your internal network is 10.0.0.0/24
2. Your LAN interface is GigabitEthernet1/0
interface Loopback1
description NAT-HAIRPIN
ip address 169.254.1.1 255.255.255.255
ip nat inside
!
route-map PBR-HAIRPIN permit 10
set interface Loopback1
!
ip access-list extended ACL-HAIRPIN
permit ip 10.0.0.0 0.0.0.255 host 10.0.0.10
!
ip access-list extended ACL-NAT
deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
!
interface Cellular0/2/0
ip nat outside
!
interface GigabitEthernet1/0
description LAN
ip address 10.0.0.1 255.255.255.0
ip nat outside
ip policy route-map PBR-HAIRPIN
!
ip nat inside source list ACL-NAT interface GigabitEthernet1/0 overload
ip nat inside source list ACL-HAIRPIN interface Loopback1 overload
ip nat inside source static tcp 10.0.0.10 443 interface Cellular0/2/0 4555
ā08-16-2021 06:11 PM
sorry my mistake that i haven gave enough info really sorry
i have no ip's on the physical interfaces but vlans the host is on a c2960x which is connected to the router on a trunk whit multiple vlans
and i need to reach the internet from the vlan the host is in
so i cant set that to "ip nat outside"
the router has 4 switch ports from which i could spar 1 at most if i really need to and 2 wan ports which i dont use
so in the end i could implement the above solution
hmm or not.
can i still reach 10.0.0.10 from inside hosts? or do i need to use the external ip
10.0.0.11 needs to be able to reach 10.0.0.10:9876 there is no way around this my external ip is dynamic
and the host needs to be reachable on a static ip
thank you so fare and sorry for not enough info
tomorrow i will try to post "sh run" from the router and switch
one more thing to make things more complicated
if i understand it right if all goes well i will be able to reach it from the inside on the outside ip on port 4555
is there any way to reach it from an inside ip?
10.0.0.10:4555 - router - 10.0.0.10:443
172.16.0.1:4555 - router - 10.0.0.10:443
cheers rick
ā08-16-2021 11:06 PM
Hello,
as you already stated, the switch does not support NAT, so the hairpinning I suggested won't work anyway. Not sure if what you want is possible at all using a layer 3 switch (the 2960X)...I'll need to research this...will get back with you.
ā08-17-2021 12:36 AM
here are the configs
the router has 4 switch ports and 2 wan ports
the router is connected to the switch with a trunk
the host in question is plugged in to the switch
i need to reach it on 10.0.0.10 from every where on the lan (from the router switch ports and from the 2960 switch)
or at least on a internal static ip (my external internet facing is dynamic)
i have other apps running which connect to ip addresses and cant use dns names
if really needed i could plug the host in question in to a wan port on the router
the reason for all the effort is
i am using chrome on my workstation at home and on my laptop on the road
the bookmarks are synchronized
as mentioned i cant alter the port of the app and i dont want port 443 facing the internet
so my bookmark which work fine on my workstation domain.com:443 wont work on my laptop (i am using an internal dns server)
or vice versa domain.com:4555 will not work on my workstation
so its not a question of life or dead but still getting it to work would be great
if you see some gross mistake in my current config dont hesitate to mention it
thank you for your help and time
router cisco C1111-4PLTEEA c1100-universalk9_ias.16.09.06.SPA.bin
!
vtp mode transparent
!
multilink bundle-name authenticated
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
et-analytics
!
controller Cellular 0/2/0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
vlan internal allocation policy ascending
!
vlan 7,172-175,200
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
ntp broadcast
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/1/1
switchport trunk allowed vlan 1,7,172-175
switchport mode trunk
!
interface GigabitEthernet0/1/2
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/1/3
switchport access vlan 7
switchport mode access
!
interface Cellular0/2/0
ip address negotiated
ip nat outside
dialer in-band
dialer watch-group 1
pulse-time 1
!
interface Cellular0/2/1
no ip address
shutdown
!
interface Vlan1
no ip address
ip nat inside
!
interface Vlan7
ip address 192.168.0.1 255.255.255.0 secondary
ip address 10.0.0.1 255.255.255.0
ip nat inside
!
interface Vlan172
ip address 172.16.0.1 255.255.255.0
ip nat inside
!
interface Vlan173
ip address 172.16.1.1 255.255.255.0
ip nat inside
!
interface Vlan174
ip address 172.16.2.1 255.255.255.0
ip nat inside
!
interface Vlan175
ip address 172.16.3.1 255.255.255.0
ip nat inside
!
router rip
network 10.0.0.0
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat inside source static tcp 10.0.0.10 443 interface Cellular0/2/0 4555
****************much more but redacted******************************
ip nat inside source list NAT interface Cellular0/2/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
ip ssh version 2
ip ssh client algorithm encryption aes192-cbc
!
!
ip access-list extended NAT
permit ip 10.0.0.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
permit ip 172.16.0.0 0.0.0.255 any
permit ip 172.16.1.0 0.0.0.255 any
permit ip 172.16.2.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip 172.16.3.0 0.0.0.255 any
!
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 192.160.0.0 0.15.255.255
dialer watch-list 1 ip 8.8.8.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
!
!
snmp-server group GrpMonitoring v3 priv read ViewDefault
snmp-server view ViewDefault iso included
!
!
control-plane
!
!
line con 0
exec-timeout 30 0
password 7 ********
logging synchronous
login
length 50
transport input none
stopbits 1
line vty 0 4
access-class LogIn in
exec-timeout 30 0
login local
length 50
transport input ssh
!
ntp access-group serve-only 1
ntp master
ntp server 0.europe.pool.ntp.org
!
!
!
!
!
---------------------------------------------------------
switch cisco WS-C2960X-24TS-L c2960x-universalk9-mz.152-4.E9.bin
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2960x
!
boot-start-marker
boot-end-marker
!
enable secret 5 ******
!
username ino secret 5 *******
no aaa new-model
clock timezone gmt 2 0
switch 1 provision ws-c2960x-24ts-l
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0
no ip address
!
interface GigabitEthernet1/0/1
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet1/0/3
description Trunk
switchport trunk allowed vlan 1,7,172-175
switchport mode trunk
!
interface GigabitEthernet1/0/4
switchport mode access
!
interface GigabitEthernet1/0/5
switchport mode access
!
interface GigabitEthernet1/0/6
switchport mode access
!
interface GigabitEthernet1/0/7
switchport mode access
!
interface GigabitEthernet1/0/8
switchport mode access
!
interface GigabitEthernet1/0/9
switchport mode access
!
interface GigabitEthernet1/0/10
description H36
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet1/0/11
switchport mode access
!
interface GigabitEthernet1/0/12
description HSwitch
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet1/0/13
description Ra b1
switchport access vlan 172
switchport mode access
!
interface GigabitEthernet1/0/14
switchport mode access
!
interface GigabitEthernet1/0/15
description Ra b2
switchport access vlan 173
switchport mode access
!
interface GigabitEthernet1/0/16
switchport mode access
!
interface GigabitEthernet1/0/17
switchport access vlan 174
switchport mode access
!
interface GigabitEthernet1/0/18
switchport mode access
!
interface GigabitEthernet1/0/19
switchport access vlan 175
switchport mode access
!
interface GigabitEthernet1/0/20
switchport mode access
!
interface GigabitEthernet1/0/21
switchport mode access
!
interface GigabitEthernet1/0/22
switchport mode access
ip verify source
!
interface GigabitEthernet1/0/23
switchport mode access
!
interface GigabitEthernet1/0/24
switchport mode access
!
interface GigabitEthernet1/0/25
switchport mode access
!
interface GigabitEthernet1/0/26
switchport mode access
!
interface GigabitEthernet1/0/27
switchport mode access
!
interface GigabitEthernet1/0/28
switchport mode access
!
interface Vlan1
no ip address
!
interface Vlan7
ip address 10.0.0.2 255.255.255.0
!
interface Vlan172
ip address 172.16.0.2 255.255.255.0
!
interface Vlan173
ip address 172.16.1.2 255.255.255.0
!
interface Vlan174
ip address 172.16.2.2 255.255.255.0
!
interface Vlan175
ip address 172.16.3.2 255.255.255.0
!
ip default-gateway 10.0.0.1
!
ip http server
ip http secure-server
!
!
snmp-server group GrpMonitoring v3 priv read ViewDefault
snmp-server view ViewDefault iso included
!
line con 0
exec-timeout 30 0
logging synchronous
login local
line vty 0 4
exec-timeout 30 0
logging synchronous
login local
transport input ssh
line vty 5 15
login
!
ntp server 10.1.1.1
!
end
P.S i know the vlans arent necessary in their current form just preparing for the future
cheers rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide