cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
182
Views
0
Helpful
2
Replies
hirani89
Beginner

Issues with Hairpin NAT

Hi,

Here is my config. I am not able to access 192.168.30.3 when in the network. It works fine when connecting from outside.

Also, I can ssh using public IP when in the network and from outside. having issues with 192.168.30.3

Building configuration...


Current configuration : 5979 bytes
!
! Last configuration change at 08:40:03 UTC Sun Apr 18 2021 by root
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RRouter
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip multicast-routing
ip dhcp excluded-address 192.168.10.1 192.168.10.50
ip dhcp excluded-address 192.168.20.1 192.168.20.50
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 192.168.10.101 192.168.10.254
ip dhcp excluded-address 192.168.101.1 192.168.101.10
ip dhcp excluded-address 192.168.30.1 192.168.30.50
ip dhcp excluded-address 192.168.40.1 192.168.40.10
!
ip dhcp pool ONE
 network 192.168.1.0 255.255.255.0
 dns-server 192.168.10.1
 default-router 192.168.1.1
!
ip dhcp pool TEN
 network 192.168.10.0 255.255.255.0
 dns-server 1.1.1.1 1.0.0.1
 default-router 192.168.10.1
!
ip dhcp pool TWENTY
 network 192.168.20.0 255.255.255.0
 dns-server 1.1.1.1 1.0.0.1
 default-router 192.168.20.1
!
ip dhcp pool ONEOONE
 network 192.168.101.0 255.255.255.0
 dns-server 1.1.1.1 1.0.0.1
 default-router 192.168.101.1
!
ip dhcp pool THIRTY
 network 192.168.30.0 255.255.255.0
 default-router 192.168.30.1
 dns-server 1.1.1.1 1.0.0.1
!
ip dhcp pool Wifi_Camera
!
ip dhcp pool fourty
 network 192.168.40.0 255.255.255.0
 dns-server 1.1.1.1 1.0.0.1
 default-router 192.168.40.1
!
ip dhcp pool FIFTY
 network 192.168.50.0 255.255.255.0
 default-router 192.168.50.1
 dns-server 1.1.1.1 1.0.0.1
!
ip dhcp pool WIN1
 host 192.168.10.76 255.255.255.0
 client-identifier 01fc.aa14.28be.c0
!
ip dhcp pool HA Server
 host 192.168.10.2 255.255.255.0
 client-identifier 01b8.27eb.8ee9.95
!
!
ip domain name ssmt.local
ip name-server 1.1.1.1
ip name-server 1.0.0.1
!
multilink bundle-name authenticated
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
voice-card 0
!
!
!
!
!
!
!
license udi pid CISCO2921/K9 sn FGL171712X4
hw-module pvdm 0/0
!
!
!
username root privilege 15 password 0 password
username user secret 4 GK32328zogUw41aNsnIiZ9irs2rALsySwMouCKQYxus
!
redundancy
!
!
!
!
ip ssh version 2
!
!
crypto isakmp policy 100
 encr aes 256
 authentication pre-share
 group 20
 lifetime 3600
!
crypto isakmp client configuration group GroupVPN
 key groupkey
 pool VPNPool
!
!
crypto ipsec transform-set SetVPN esp-aes esp-sha-hmac
!
crypto dynamic-map DynamicVPN 100
 set transform-set SetVPN
 reverse-route
!
!
crypto map StaticMap client authentication list UserVPN
crypto map StaticMap isakmp authorization list GroupVPN
crypto map StaticMap client configuration address respond
crypto map StaticMap 20 ipsec-isakmp dynamic DynamicVPN
!
!
!
!
!
interface Loopback100
 description hairpin
 ip address 169.254.255.254 255.255.255.255
 ip nat inside
 ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.100
 description -Internet-
 encapsulation dot1Q 100
 ip address 123.123.123.123 255.255.255.252
 no ip redirects
 ip nat outside
 ip nat enable
 ip virtual-reassembly in
 crypto map StaticMap
!
interface GigabitEthernet0/1
 no ip address
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.1
 encapsulation dot1Q 1 native
 ip address 192.168.1.1 255.255.255.0
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly in
 ip cgmp
!
interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly in
 ip cgmp
!
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly in
 ip cgmp
!
interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly in
 ip cgmp
!
interface GigabitEthernet0/1.40
 encapsulation dot1Q 40
 ip address 192.168.40.1 255.255.255.0
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly in
 ip cgmp
!
interface GigabitEthernet0/1.50
 encapsulation dot1Q 50
 ip address 192.168.50.1 255.255.255.0
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly in
 ip cgmp
!
interface GigabitEthernet0/1.101
 encapsulation dot1Q 101
 ip address 192.168.101.1 255.255.255.0
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly in
 ip cgmp
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/1/0
 no ip address
 shutdown
 negotiation auto
!
!
ip local pool VPNPool 192.168.10.20 192.168.10.50
ip default-gateway 123.123.123.122
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat source static tcp 192.168.10.1 22 interface GigabitEthernet0/0.100 10122
ip nat inside source list NAT interface GigabitEthernet0/0.100 overload
ip nat inside source static tcp 192.168.30.3 8000 interface GigabitEthernet0/0.100 18000
ip nat inside source static udp 192.168.30.3 8000 interface GigabitEthernet0/0.100 18000
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.100 27.32.231.217
!
ip access-list standard NAT
 permit 192.168.0.0 0.0.255.255
!
ip access-list extended NatPin
 permit ip 192.168.0.0 0.0.255.255 any
 permit ip 192.168.30.0 0.0.0.255 any
!
!
!
!
!
route-map NAT_PBR permit 10
 set interface Loopback100
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
 shutdown
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 privilege level 15
 login local
 transport input ssh
line vty 5 15
 login local
 transport input all
!
scheduler allocate 20000 1000
end

 

2 REPLIES 2
paul driver
VIP Mentor

Hello

Try the attached changes:



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Georg Pauwen
VIP Expert

Hello,

 

with the changes marked in bold, all internal networks should be able to access 192.168.30.3 by its public IP address:

 

Current configuration : 5979 bytes
!
! Last configuration change at 08:40:03 UTC Sun Apr 18 2021 by root
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RRouter
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
ip multicast-routing
ip dhcp excluded-address 192.168.10.1 192.168.10.50
ip dhcp excluded-address 192.168.20.1 192.168.20.50
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 192.168.10.101 192.168.10.254
ip dhcp excluded-address 192.168.101.1 192.168.101.10
ip dhcp excluded-address 192.168.30.1 192.168.30.50
ip dhcp excluded-address 192.168.40.1 192.168.40.10
!
ip dhcp pool ONE
network 192.168.1.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.1.1
!
ip dhcp pool TEN
network 192.168.10.0 255.255.255.0
dns-server 1.1.1.1 1.0.0.1
default-router 192.168.10.1
!
ip dhcp pool TWENTY
network 192.168.20.0 255.255.255.0
dns-server 1.1.1.1 1.0.0.1
default-router 192.168.20.1
!
ip dhcp pool ONEOONE
network 192.168.101.0 255.255.255.0
dns-server 1.1.1.1 1.0.0.1
default-router 192.168.101.1
!
ip dhcp pool THIRTY
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 1.1.1.1 1.0.0.1
!
ip dhcp pool Wifi_Camera
!
ip dhcp pool fourty
network 192.168.40.0 255.255.255.0
dns-server 1.1.1.1 1.0.0.1
default-router 192.168.40.1
!
ip dhcp pool FIFTY
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 1.1.1.1 1.0.0.1
!
ip dhcp pool WIN1
host 192.168.10.76 255.255.255.0
client-identifier 01fc.aa14.28be.c0
!
ip dhcp pool HA Server
host 192.168.10.2 255.255.255.0
client-identifier 01b8.27eb.8ee9.95
!
ip domain name ssmt.local
ip name-server 1.1.1.1
ip name-server 1.0.0.1
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
voice-card 0
!
license udi pid CISCO2921/K9 sn FGL171712X4
hw-module pvdm 0/0
!
username root privilege 15 password 0 password
username user secret 4 GK32328zogUw41aNsnIiZ9irs2rALsySwMouCKQYxus
!
redundancy
!
ip ssh version 2
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 20
lifetime 3600
!
crypto isakmp client configuration group GroupVPN
key groupkey
pool VPNPool
!
crypto ipsec transform-set SetVPN esp-aes esp-sha-hmac
!
crypto dynamic-map DynamicVPN 100
set transform-set SetVPN
reverse-route
!
crypto map StaticMap client authentication list UserVPN
crypto map StaticMap isakmp authorization list GroupVPN
crypto map StaticMap client configuration address respond
crypto map StaticMap 20 ipsec-isakmp dynamic DynamicVPN
!
interface Loopback100
description hairpin
ip address 169.254.255.254 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.100
description -Internet-
encapsulation dot1Q 100
ip address 123.123.123.123 255.255.255.252
no ip redirects
ip nat outside
--> no ip nat enable
ip virtual-reassembly in
crypto map StaticMap
!
interface GigabitEthernet0/1
no ip address
ip pim dense-mode
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.101
encapsulation dot1Q 101
ip address 192.168.101.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
no ip address
shutdown
negotiation auto
!
ip local pool VPNPool 192.168.10.20 192.168.10.50
--> no ip default-gateway 123.123.123.122
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat source static tcp 192.168.10.1 22 interface GigabitEthernet0/0.100 10122
--> ip nat inside source list NAT_ACL interface GigabitEthernet0/0.100 overload
--> ip nat inside source list NAT_HAIRPIN_ACL interface Loopback 100 overload
ip nat inside source static tcp 192.168.30.3 8000 interface GigabitEthernet0/0.100 18000
ip nat inside source static udp 192.168.30.3 8000 interface GigabitEthernet0/0.100 18000
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.100 27.32.231.217
!
--> ip access-list extended NAT_ACL
--> deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
--> deny ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
--> deny ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255
--> deny ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255
--> deny ip 192.168.40.0 0.0.0.255 192.168.40.0 0.0.0.255
--> deny ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255
--> deny ip 192.168.101.0 0.0.0.255 192.168.101.0 0.0.0.255
--> permit 192.168.1.0 0.0.0.255 any
--> permit 192.168.10.0 0.0.0.255 any
--> permit 192.168.20.0 0.0.0.255 any
--> permit 192.168.30.0 0.0.0.255 any
--> permit 192.168.40.0 0.0.0.255 any
--> permit 192.168.50.0 0.0.0.255 any
--> permit 192.168.101.0 0.0.0.255 any
!
--> ip access-list extended NAT_HAIRPIN_ACL
--> permit ip 192.168.1.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.10.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.20.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.30.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.40.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.50.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.101.0 0.0.0.255 host 192.168.30.3

!
--> route-map PBR_NAT_RM permit 10
set interface Loopback100
!
control-plane
!
mgcp profile default
!
gatekeeper
shutdown
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport input ssh
line vty 5 15
login local
transport input all
!
scheduler allocate 20000 1000
end