Inside - Inside NATting - Page 2

tresdodi · ‎12-28-2020

Hello everyone.

The image below is a simplified layout of my home network where I have a web server with port forwarding. From the WAN the server is accessible, and from the LAN it is through its LAN IP, as expected. The question is, how to make the server accessible from all 3 networks on the LAN through the public IP? Note that I'm using ZBF with each network on a separate zone and the required policies to allow specific interzone traffic.

This has proven surprisingly convoluted to pull off. I tried domainless NAT changing all 3 subtinterfaces and the WAN interface to ip nat enable with different combinations of no ip redirects, changing static NAT entries to ip nat source and clearing the NAT translation table, but all results in losing access to the internet; despite the router (ISR 1941 on IOS 15.8) showing NVI translations being made.

Running config attached.

tresdodi · ‎01-03-2021

Hello Georg.

The self zone is implicit, that's why you don't see zone security self.

I need policies between the self zone and others to allow specific traffic destined to the router (DHCP from ISP for the WAN int, ping the default gateway from inside networks, etc). When I tested the loopback technique I only removed a couple of test interfaces from the ZBF. Most likely I'd have to move all interfaces out the ZBF and/or delete firewall zones. I've read that this can work with the ZBF but some ACL magic is needed.

For now I'll content myself with split DNS and if later I'm forced to do hairpining I'll get an ASA or hopefully Cisco will have fixed the bug.

paul driver · ‎12-29-2020

Hello @tresdodi

i seem to be having editing issues with my csc mobile app -

keeping with the hairpin @Georg Pauwen suggested and with zbfw enabled you would need to add the loopback interface to a security zone and create the necessary zone pairing

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎01-04-2021

@tresdodi wrote:

Switching to NVI and taking the interfaces out of the Zone-Based Firewall (leaving URPF on) does the trick. I have Internet and NAT hairpinning works. I prefer this solution over the Loopback interface because it's much simpler. But I need ZBF and there's a bug in the interoperability of NVI and ZBF. When a policy is applied to the outside -> self zone pair, ZBF drops traffic returning to the self zone (the public IP). I confirmed that the bug occurs for me as described by many others. There are conflicting reports of this working fine on some IOS releases. The workarounds are stop using ZBF or pass traffic between outside and self zones, which are a no-go.

The loopback technique for some reason didn't work for me even without the ZBF. It must be something that I'm missing but I didn't dig deeper.

Regardless, I decided to use split DNS and put an ASA between the ISP modem and the router later if needed.

Thank you you both for your help!

Excellent - good to know glad you got it sorted, thanks for the feedback

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul