IOS-XE Hairpin NAT/NAT Reflection

Ewsclass66 · ‎03-11-2022

Hi all,

I am trying to set up NAT Hairpinning in order to access port forwarded hosts by referencing the outside interfaces IP address.

The purpose of this is to forgoe setting up split DNS in edge sites that have locally hosted web apps that need to be accessed internally and externally without having split DNS.

Here is my existing NAT config:

interface GigabitEthernet0/0/0
ip address dhcp
ip nat outside
ip access-group WAN-ACL-IN in
negotiation auto
no cdp enable
!

ip access-list standard NAT
10 permit 192.168.4.0 0.0.0.255

interface Vlan40
ip address 192.168.4.254 255.255.255.0
ip nat inside
!
ip nat inside source static tcp 192.168.4.1 443 interface GigabitEthernet0/0/0 443
ip nat inside source static tcp 192.168.4.1 80 interface GigabitEthernet0/0/0 80
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload

Any suggestions to get this up and running would be greatly appreciated!

Thanks in advanced

paul driver · ‎03-11-2022

Hello
Try the following:

no ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
no ip access-list standard NAT

int looopback 0
ip address 169.254.255.254 255.255.255.255
ip nat inside

router-map PBR
set interface loopback 0

int vlan 60
no ip nat inside
ip nat outside
ip policy route-map PBR

ip access-list extended Public-NAT
deny ip 192.168.4.0 0.0.0.255 deny ip 192.168.4.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 deny ip 192.168.2.0 0.0.0.255
permit ip deny ip 192.168.2.0 0.0.0.255 any
permit ip deny ip 192.168.4.0 0.0.0.255 any

ip access-list extended Hairpin-NAT
permit ip 192.168.2.0 0.0.0.255 host 192.168.2.1
permit ip 192.168.4.0 0.0.0.255 host 192.168.2.1

ip route 0.0.0.0 0.0.0.0 gig0/0/0 dhcp
ip nat inside source list Public-NAT gig0/0/0
ip nat inside source list Hairpin-NAT gig0/0/0

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Ewsclass66 · ‎03-11-2022

Hi Thanks for the reply, I did try this and this didn't work as I think there is now no NAT Overload configured so no hosts have internet access. I have edited some IP addresses to make it slightly clearer.

Thanks

paul driver · ‎03-11-2022

Hello

Thanks for the feedback- can you post in a file the present running configuration of the rtr please.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Ewsclass66 · ‎03-11-2022

Hi There,

Thanks for your help, here is my running config:

Current configuration : 8338 bytes
!
! Last configuration change at 13:43:23 UTC Fri Mar 11 2022 by admin
! NVRAM config last updated at 10:33:30 UTC Thu Mar 10 2022 by admin
!
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
ip name-server 1.1.1.1 1.0.0.1
ip domain name xxxx.xxxx
ip dhcp excluded-address 192.168.1.1 192.168.1.200
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
no device-tracking logging theft
!
!
!

spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address dhcp
ip nat outside
ip access-group WAN-ACL-IN in
negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
switchport trunk native vlan 10
switchport trunk allowed vlan 10,40,50
switchport mode trunk
!
interface GigabitEthernet0/1/1
switchport access vlan 30
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
switchport trunk allowed vlan 10,20,30,40,50
switchport mode trunk
!
interface GigabitEthernet0/1/7
switchport trunk allowed vlan 10,20,30,40,50
switchport mode trunk
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.1.254 255.255.255.0
ip nat inside
!
interface Vlan20
ip address 192.168.2.254 255.255.255.0
ip nat inside
!
interface Vlan30
ip address 192.168.3.254 255.255.255.0
!
interface Vlan40
ip address 192.168.4.254 255.255.255.0
ip nat inside
!
interface Vlan50
ip address 192.168.5.254 255.255.255.0
ip nat inside
!
no ip http server
ip http authentication local
no ip http secure-server
ip forward-protocol nd
ip dns server
ip nat inside source static tcp 192.168.2.1 443 interface GigabitEthernet0/0/0 443
ip nat inside source static tcp 192.168.2.1 80 interface GigabitEthernet0/0/0 80
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip ssh version 2
!
!
ip access-list standard NAT
10 permit 192.168.1.0 0.0.0.255
20 permit 192.168.4.0 0.0.0.255
30 permit 192.168.2.0 0.0.0.255
ip access-list standard SSH
10 permit 192.168.1.0 0.0.0.255
20 permit 192.168.4.0 0.0.0.255
ip access-list standard Subnets
10 permit 192.168.1.0 0.0.0.255
20 permit 192.168.2.0 0.0.0.255
30 permit 192.168.3.0 0.0.0.255
40 permit 192.168.4.0 0.0.0.255
50 permit 192.168.5.0 0.0.0.255
!
ip access-list extended WAN-ACL-IN
10 remark Allow Cloudflare DNS
10 permit udp host 1.1.1.1 any eq domain
20 permit tcp host 1.1.1.1 any eq domain
30 permit udp host 1.0.0.1 any eq domain
40 permit tcp host 1.0.0.1 any eq domain
50 deny udp any any eq domain log
60 deny tcp any any eq domain log
70 permit ip any any
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
login local
transport input none
stopbits 1
line vty 0 4
access-class SSH in
login local
transport input ssh
line vty 5 15
access-class SSH in
login local
transport input ssh
!
ntp access-group peer Subnets
ntp access-group serve-only Subnets
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
!
!
!
!
!
!
end

paul driver · ‎03-11-2022

Hello

so it looks like you’ve applied none of the hairpin cfg I supplied -

You inside vlans need to be on the outside domain and a loopback needs also creating with policy based routing

Also curious to what rtr make/model this is

show version:

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Ewsclass66 · ‎03-11-2022

Hi,

Yes I reverted back to old configuration as it did not work, I'm not if the ACLs you supplied are quite correct, it wouldn't accept them as they are.

Its a C1111-8P running 17.03.04a

Thanks again

paul driver · ‎03-11-2022

Hello
The reason for that was that you have more local networks than what you initially shown in your OP.

Now you can amend the config I provided to accommodate the additional inside networks so NAT would work, or you can keep your existing config but utilize domainless nat (no inside/outside domains)

See attach file…

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Ewsclass66 · ‎03-12-2022

Hi,

The problem I have run into is that IOS-XE doesn't support domainless NAT, so I can't use the command

ip nat source static tcp 192.168.2.1 443 interface GigabitEthernet0/0/0 443

These are the options presented when trying to create a NAT entry:

The first solution also does not function, as you haven't specified the static NAT forwarding. But i'm unsure of how the PBR affects that.

Thanks

paul driver · ‎03-13-2022

Hello

You should already have the static nat entries applied from your own confgiuration whch are:
ip nat inside source static tcp 192.168.4.1 443 interface GigabitEthernet0/0/0 443
ip nat inside source static tcp 192.168.4.1 80 interface GigabitEthernet0/0/0 80

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul