- Cisco Community
- Technology and Support
- Networking
- Routing
- Re: Issues with Hairpin NAT
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Issues with Hairpin NAT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2021 02:14 AM
Hi,
Here is my config. I am not able to access 192.168.30.3 when in the network. It works fine when connecting from outside.
Also, I can ssh using public IP when in the network and from outside. having issues with 192.168.30.3
Building configuration... Current configuration : 5979 bytes ! ! Last configuration change at 08:40:03 UTC Sun Apr 18 2021 by root version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RRouter ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! ! no ipv6 cef ip source-route ip cef ! ! ! ip multicast-routing ip dhcp excluded-address 192.168.10.1 192.168.10.50 ip dhcp excluded-address 192.168.20.1 192.168.20.50 ip dhcp excluded-address 192.168.1.1 192.168.1.50 ip dhcp excluded-address 192.168.10.101 192.168.10.254 ip dhcp excluded-address 192.168.101.1 192.168.101.10 ip dhcp excluded-address 192.168.30.1 192.168.30.50 ip dhcp excluded-address 192.168.40.1 192.168.40.10 ! ip dhcp pool ONE network 192.168.1.0 255.255.255.0 dns-server 192.168.10.1 default-router 192.168.1.1 ! ip dhcp pool TEN network 192.168.10.0 255.255.255.0 dns-server 1.1.1.1 1.0.0.1 default-router 192.168.10.1 ! ip dhcp pool TWENTY network 192.168.20.0 255.255.255.0 dns-server 1.1.1.1 1.0.0.1 default-router 192.168.20.1 ! ip dhcp pool ONEOONE network 192.168.101.0 255.255.255.0 dns-server 1.1.1.1 1.0.0.1 default-router 192.168.101.1 ! ip dhcp pool THIRTY network 192.168.30.0 255.255.255.0 default-router 192.168.30.1 dns-server 1.1.1.1 1.0.0.1 ! ip dhcp pool Wifi_Camera ! ip dhcp pool fourty network 192.168.40.0 255.255.255.0 dns-server 1.1.1.1 1.0.0.1 default-router 192.168.40.1 ! ip dhcp pool FIFTY network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 dns-server 1.1.1.1 1.0.0.1 ! ip dhcp pool WIN1 host 192.168.10.76 255.255.255.0 client-identifier 01fc.aa14.28be.c0 ! ip dhcp pool HA Server host 192.168.10.2 255.255.255.0 client-identifier 01b8.27eb.8ee9.95 ! ! ip domain name ssmt.local ip name-server 1.1.1.1 ip name-server 1.0.0.1 ! multilink bundle-name authenticated ! ! ! ! ! crypto pki token default removal timeout 0 ! ! voice-card 0 ! ! ! ! ! ! ! license udi pid CISCO2921/K9 sn FGL171712X4 hw-module pvdm 0/0 ! ! ! username root privilege 15 password 0 password username user secret 4 GK32328zogUw41aNsnIiZ9irs2rALsySwMouCKQYxus ! redundancy ! ! ! ! ip ssh version 2 ! ! crypto isakmp policy 100 encr aes 256 authentication pre-share group 20 lifetime 3600 ! crypto isakmp client configuration group GroupVPN key groupkey pool VPNPool ! ! crypto ipsec transform-set SetVPN esp-aes esp-sha-hmac ! crypto dynamic-map DynamicVPN 100 set transform-set SetVPN reverse-route ! ! crypto map StaticMap client authentication list UserVPN crypto map StaticMap isakmp authorization list GroupVPN crypto map StaticMap client configuration address respond crypto map StaticMap 20 ipsec-isakmp dynamic DynamicVPN ! ! ! ! ! interface Loopback100 description hairpin ip address 169.254.255.254 255.255.255.255 ip nat inside ip virtual-reassembly in ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/0.100 description -Internet- encapsulation dot1Q 100 ip address 123.123.123.123 255.255.255.252 no ip redirects ip nat outside ip nat enable ip virtual-reassembly in crypto map StaticMap ! interface GigabitEthernet0/1 no ip address ip pim dense-mode ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/1.1 encapsulation dot1Q 1 native ip address 192.168.1.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp ! interface GigabitEthernet0/1.10 encapsulation dot1Q 10 ip address 192.168.10.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp ! interface GigabitEthernet0/1.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp ! interface GigabitEthernet0/1.30 encapsulation dot1Q 30 ip address 192.168.30.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp ! interface GigabitEthernet0/1.40 encapsulation dot1Q 40 ip address 192.168.40.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp ! interface GigabitEthernet0/1.50 encapsulation dot1Q 50 ip address 192.168.50.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp ! interface GigabitEthernet0/1.101 encapsulation dot1Q 101 ip address 192.168.101.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp ! interface GigabitEthernet0/2 no ip address duplex auto speed auto ! interface GigabitEthernet0/0/0 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0/1/0 no ip address shutdown negotiation auto ! ! ip local pool VPNPool 192.168.10.20 192.168.10.50 ip default-gateway 123.123.123.122 ip forward-protocol nd ! no ip http server no ip http secure-server ! ip dns server ip nat source static tcp 192.168.10.1 22 interface GigabitEthernet0/0.100 10122 ip nat inside source list NAT interface GigabitEthernet0/0.100 overload ip nat inside source static tcp 192.168.30.3 8000 interface GigabitEthernet0/0.100 18000 ip nat inside source static udp 192.168.30.3 8000 interface GigabitEthernet0/0.100 18000 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.100 27.32.231.217 ! ip access-list standard NAT permit 192.168.0.0 0.0.255.255 ! ip access-list extended NatPin permit ip 192.168.0.0 0.0.255.255 any permit ip 192.168.30.0 0.0.0.255 any ! ! ! ! ! route-map NAT_PBR permit 10 set interface Loopback100 ! ! ! control-plane ! ! ! ! mgcp profile default ! ! ! ! ! gatekeeper shutdown ! ! ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 privilege level 15 login local transport input ssh line vty 5 15 login local transport input all ! scheduler allocate 20000 1000 end
- Labels:
-
Routing Protocols
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2021 03:15 AM - edited 04-18-2021 03:18 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2021 07:53 AM
Hello,
with the changes marked in bold, all internal networks should be able to access 192.168.30.3 by its public IP address:
Current configuration : 5979 bytes
!
! Last configuration change at 08:40:03 UTC Sun Apr 18 2021 by root
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RRouter
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
ip multicast-routing
ip dhcp excluded-address 192.168.10.1 192.168.10.50
ip dhcp excluded-address 192.168.20.1 192.168.20.50
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 192.168.10.101 192.168.10.254
ip dhcp excluded-address 192.168.101.1 192.168.101.10
ip dhcp excluded-address 192.168.30.1 192.168.30.50
ip dhcp excluded-address 192.168.40.1 192.168.40.10
!
ip dhcp pool ONE
network 192.168.1.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.1.1
!
ip dhcp pool TEN
network 192.168.10.0 255.255.255.0
dns-server 1.1.1.1 1.0.0.1
default-router 192.168.10.1
!
ip dhcp pool TWENTY
network 192.168.20.0 255.255.255.0
dns-server 1.1.1.1 1.0.0.1
default-router 192.168.20.1
!
ip dhcp pool ONEOONE
network 192.168.101.0 255.255.255.0
dns-server 1.1.1.1 1.0.0.1
default-router 192.168.101.1
!
ip dhcp pool THIRTY
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 1.1.1.1 1.0.0.1
!
ip dhcp pool Wifi_Camera
!
ip dhcp pool fourty
network 192.168.40.0 255.255.255.0
dns-server 1.1.1.1 1.0.0.1
default-router 192.168.40.1
!
ip dhcp pool FIFTY
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 1.1.1.1 1.0.0.1
!
ip dhcp pool WIN1
host 192.168.10.76 255.255.255.0
client-identifier 01fc.aa14.28be.c0
!
ip dhcp pool HA Server
host 192.168.10.2 255.255.255.0
client-identifier 01b8.27eb.8ee9.95
!
ip domain name ssmt.local
ip name-server 1.1.1.1
ip name-server 1.0.0.1
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
voice-card 0
!
license udi pid CISCO2921/K9 sn FGL171712X4
hw-module pvdm 0/0
!
username root privilege 15 password 0 password
username user secret 4 GK32328zogUw41aNsnIiZ9irs2rALsySwMouCKQYxus
!
redundancy
!
ip ssh version 2
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 20
lifetime 3600
!
crypto isakmp client configuration group GroupVPN
key groupkey
pool VPNPool
!
crypto ipsec transform-set SetVPN esp-aes esp-sha-hmac
!
crypto dynamic-map DynamicVPN 100
set transform-set SetVPN
reverse-route
!
crypto map StaticMap client authentication list UserVPN
crypto map StaticMap isakmp authorization list GroupVPN
crypto map StaticMap client configuration address respond
crypto map StaticMap 20 ipsec-isakmp dynamic DynamicVPN
!
interface Loopback100
description hairpin
ip address 169.254.255.254 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.100
description -Internet-
encapsulation dot1Q 100
ip address 123.123.123.123 255.255.255.252
no ip redirects
ip nat outside
--> no ip nat enable
ip virtual-reassembly in
crypto map StaticMap
!
interface GigabitEthernet0/1
no ip address
ip pim dense-mode
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.101
encapsulation dot1Q 101
ip address 192.168.101.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
no ip address
shutdown
negotiation auto
!
ip local pool VPNPool 192.168.10.20 192.168.10.50
--> no ip default-gateway 123.123.123.122
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat source static tcp 192.168.10.1 22 interface GigabitEthernet0/0.100 10122
--> ip nat inside source list NAT_ACL interface GigabitEthernet0/0.100 overload
--> ip nat inside source list NAT_HAIRPIN_ACL interface Loopback 100 overload
ip nat inside source static tcp 192.168.30.3 8000 interface GigabitEthernet0/0.100 18000
ip nat inside source static udp 192.168.30.3 8000 interface GigabitEthernet0/0.100 18000
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.100 27.32.231.217
!
--> ip access-list extended NAT_ACL
--> deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
--> deny ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
--> deny ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255
--> deny ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255
--> deny ip 192.168.40.0 0.0.0.255 192.168.40.0 0.0.0.255
--> deny ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255
--> deny ip 192.168.101.0 0.0.0.255 192.168.101.0 0.0.0.255
--> permit 192.168.1.0 0.0.0.255 any
--> permit 192.168.10.0 0.0.0.255 any
--> permit 192.168.20.0 0.0.0.255 any
--> permit 192.168.30.0 0.0.0.255 any
--> permit 192.168.40.0 0.0.0.255 any
--> permit 192.168.50.0 0.0.0.255 any
--> permit 192.168.101.0 0.0.0.255 any
!
--> ip access-list extended NAT_HAIRPIN_ACL
--> permit ip 192.168.1.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.10.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.20.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.30.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.40.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.50.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.101.0 0.0.0.255 host 192.168.30.3
!
--> route-map PBR_NAT_RM permit 10
set interface Loopback100
!
control-plane
!
mgcp profile default
!
gatekeeper
shutdown
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport input ssh
line vty 5 15
login local
transport input all
!
scheduler allocate 20000 1000
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
