- Cisco Community
- Technology and Support
- Networking
- Routing
- Re: Issues with Hairpin NAT
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Issues with Hairpin NAT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2021 02:14 AM
Hi,
Here is my config. I am not able to access 192.168.30.3 when in the network. It works fine when connecting from outside.
Also, I can ssh using public IP when in the network and from outside. having issues with 192.168.30.3
Building configuration... Current configuration : 5979 bytes ! ! Last configuration change at 08:40:03 UTC Sun Apr 18 2021 by root version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname RRouter ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! ! no ipv6 cef ip source-route ip cef ! ! ! ip multicast-routing ip dhcp excluded-address 192.168.10.1 192.168.10.50 ip dhcp excluded-address 192.168.20.1 192.168.20.50 ip dhcp excluded-address 192.168.1.1 192.168.1.50 ip dhcp excluded-address 192.168.10.101 192.168.10.254 ip dhcp excluded-address 192.168.101.1 192.168.101.10 ip dhcp excluded-address 192.168.30.1 192.168.30.50 ip dhcp excluded-address 192.168.40.1 192.168.40.10 ! ip dhcp pool ONE network 192.168.1.0 255.255.255.0 dns-server 192.168.10.1 default-router 192.168.1.1 ! ip dhcp pool TEN network 192.168.10.0 255.255.255.0 dns-server 1.1.1.1 1.0.0.1 default-router 192.168.10.1 ! ip dhcp pool TWENTY network 192.168.20.0 255.255.255.0 dns-server 1.1.1.1 1.0.0.1 default-router 192.168.20.1 ! ip dhcp pool ONEOONE network 192.168.101.0 255.255.255.0 dns-server 1.1.1.1 1.0.0.1 default-router 192.168.101.1 ! ip dhcp pool THIRTY network 192.168.30.0 255.255.255.0 default-router 192.168.30.1 dns-server 1.1.1.1 1.0.0.1 ! ip dhcp pool Wifi_Camera ! ip dhcp pool fourty network 192.168.40.0 255.255.255.0 dns-server 1.1.1.1 1.0.0.1 default-router 192.168.40.1 ! ip dhcp pool FIFTY network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 dns-server 1.1.1.1 1.0.0.1 ! ip dhcp pool WIN1 host 192.168.10.76 255.255.255.0 client-identifier 01fc.aa14.28be.c0 ! ip dhcp pool HA Server host 192.168.10.2 255.255.255.0 client-identifier 01b8.27eb.8ee9.95 ! ! ip domain name ssmt.local ip name-server 1.1.1.1 ip name-server 1.0.0.1 ! multilink bundle-name authenticated ! ! ! ! ! crypto pki token default removal timeout 0 ! ! voice-card 0 ! ! ! ! ! ! ! license udi pid CISCO2921/K9 sn FGL171712X4 hw-module pvdm 0/0 ! ! ! username root privilege 15 password 0 password username user secret 4 GK32328zogUw41aNsnIiZ9irs2rALsySwMouCKQYxus ! redundancy ! ! ! ! ip ssh version 2 ! ! crypto isakmp policy 100 encr aes 256 authentication pre-share group 20 lifetime 3600 ! crypto isakmp client configuration group GroupVPN key groupkey pool VPNPool ! ! crypto ipsec transform-set SetVPN esp-aes esp-sha-hmac ! crypto dynamic-map DynamicVPN 100 set transform-set SetVPN reverse-route ! ! crypto map StaticMap client authentication list UserVPN crypto map StaticMap isakmp authorization list GroupVPN crypto map StaticMap client configuration address respond crypto map StaticMap 20 ipsec-isakmp dynamic DynamicVPN ! ! ! ! ! interface Loopback100 description hairpin ip address 169.254.255.254 255.255.255.255 ip nat inside ip virtual-reassembly in ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/0.100 description -Internet- encapsulation dot1Q 100 ip address 123.123.123.123 255.255.255.252 no ip redirects ip nat outside ip nat enable ip virtual-reassembly in crypto map StaticMap ! interface GigabitEthernet0/1 no ip address ip pim dense-mode ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/1.1 encapsulation dot1Q 1 native ip address 192.168.1.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp ! interface GigabitEthernet0/1.10 encapsulation dot1Q 10 ip address 192.168.10.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp ! interface GigabitEthernet0/1.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp ! interface GigabitEthernet0/1.30 encapsulation dot1Q 30 ip address 192.168.30.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp ! interface GigabitEthernet0/1.40 encapsulation dot1Q 40 ip address 192.168.40.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp ! interface GigabitEthernet0/1.50 encapsulation dot1Q 50 ip address 192.168.50.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp ! interface GigabitEthernet0/1.101 encapsulation dot1Q 101 ip address 192.168.101.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp ! interface GigabitEthernet0/2 no ip address duplex auto speed auto ! interface GigabitEthernet0/0/0 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0/1/0 no ip address shutdown negotiation auto ! ! ip local pool VPNPool 192.168.10.20 192.168.10.50 ip default-gateway 123.123.123.122 ip forward-protocol nd ! no ip http server no ip http secure-server ! ip dns server ip nat source static tcp 192.168.10.1 22 interface GigabitEthernet0/0.100 10122 ip nat inside source list NAT interface GigabitEthernet0/0.100 overload ip nat inside source static tcp 192.168.30.3 8000 interface GigabitEthernet0/0.100 18000 ip nat inside source static udp 192.168.30.3 8000 interface GigabitEthernet0/0.100 18000 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.100 27.32.231.217 ! ip access-list standard NAT permit 192.168.0.0 0.0.255.255 ! ip access-list extended NatPin permit ip 192.168.0.0 0.0.255.255 any permit ip 192.168.30.0 0.0.0.255 any ! ! ! ! ! route-map NAT_PBR permit 10 set interface Loopback100 ! ! ! control-plane ! ! ! ! mgcp profile default ! ! ! ! ! gatekeeper shutdown ! ! ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 privilege level 15 login local transport input ssh line vty 5 15 login local transport input all ! scheduler allocate 20000 1000 end
- Labels:
-
Routing Protocols
.jpg "VIP Expert"){kind=icon}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2021 03:15 AM - edited 04-18-2021 03:18 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2021 07:53 AM
Hello,
with the changes marked in bold, all internal networks should be able to access 192.168.30.3 by its public IP address:
Current configuration : 5979 bytes
!
! Last configuration change at 08:40:03 UTC Sun Apr 18 2021 by root
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RRouter
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
ip multicast-routing
ip dhcp excluded-address 192.168.10.1 192.168.10.50
ip dhcp excluded-address 192.168.20.1 192.168.20.50
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 192.168.10.101 192.168.10.254
ip dhcp excluded-address 192.168.101.1 192.168.101.10
ip dhcp excluded-address 192.168.30.1 192.168.30.50
ip dhcp excluded-address 192.168.40.1 192.168.40.10
!
ip dhcp pool ONE
network 192.168.1.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.1.1
!
ip dhcp pool TEN
network 192.168.10.0 255.255.255.0
dns-server 1.1.1.1 1.0.0.1
default-router 192.168.10.1
!
ip dhcp pool TWENTY
network 192.168.20.0 255.255.255.0
dns-server 1.1.1.1 1.0.0.1
default-router 192.168.20.1
!
ip dhcp pool ONEOONE
network 192.168.101.0 255.255.255.0
dns-server 1.1.1.1 1.0.0.1
default-router 192.168.101.1
!
ip dhcp pool THIRTY
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 1.1.1.1 1.0.0.1
!
ip dhcp pool Wifi_Camera
!
ip dhcp pool fourty
network 192.168.40.0 255.255.255.0
dns-server 1.1.1.1 1.0.0.1
default-router 192.168.40.1
!
ip dhcp pool FIFTY
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 1.1.1.1 1.0.0.1
!
ip dhcp pool WIN1
host 192.168.10.76 255.255.255.0
client-identifier 01fc.aa14.28be.c0
!
ip dhcp pool HA Server
host 192.168.10.2 255.255.255.0
client-identifier 01b8.27eb.8ee9.95
!
ip domain name ssmt.local
ip name-server 1.1.1.1
ip name-server 1.0.0.1
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
voice-card 0
!
license udi pid CISCO2921/K9 sn FGL171712X4
hw-module pvdm 0/0
!
username root privilege 15 password 0 password
username user secret 4 GK32328zogUw41aNsnIiZ9irs2rALsySwMouCKQYxus
!
redundancy
!
ip ssh version 2
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 20
lifetime 3600
!
crypto isakmp client configuration group GroupVPN
key groupkey
pool VPNPool
!
crypto ipsec transform-set SetVPN esp-aes esp-sha-hmac
!
crypto dynamic-map DynamicVPN 100
set transform-set SetVPN
reverse-route
!
crypto map StaticMap client authentication list UserVPN
crypto map StaticMap isakmp authorization list GroupVPN
crypto map StaticMap client configuration address respond
crypto map StaticMap 20 ipsec-isakmp dynamic DynamicVPN
!
interface Loopback100
description hairpin
ip address 169.254.255.254 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.100
description -Internet-
encapsulation dot1Q 100
ip address 123.123.123.123 255.255.255.252
no ip redirects
ip nat outside
--> no ip nat enable
ip virtual-reassembly in
crypto map StaticMap
!
interface GigabitEthernet0/1
no ip address
ip pim dense-mode
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/1.101
encapsulation dot1Q 101
ip address 192.168.101.1 255.255.255.0
ip pim dense-mode
--> ip nat outside
--> ip policy route-map PBR_NAT_RM
ip virtual-reassembly in
ip cgmp
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
no ip address
shutdown
negotiation auto
!
ip local pool VPNPool 192.168.10.20 192.168.10.50
--> no ip default-gateway 123.123.123.122
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat source static tcp 192.168.10.1 22 interface GigabitEthernet0/0.100 10122
--> ip nat inside source list NAT_ACL interface GigabitEthernet0/0.100 overload
--> ip nat inside source list NAT_HAIRPIN_ACL interface Loopback 100 overload
ip nat inside source static tcp 192.168.30.3 8000 interface GigabitEthernet0/0.100 18000
ip nat inside source static udp 192.168.30.3 8000 interface GigabitEthernet0/0.100 18000
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.100 27.32.231.217
!
--> ip access-list extended NAT_ACL
--> deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
--> deny ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
--> deny ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255
--> deny ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255
--> deny ip 192.168.40.0 0.0.0.255 192.168.40.0 0.0.0.255
--> deny ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255
--> deny ip 192.168.101.0 0.0.0.255 192.168.101.0 0.0.0.255
--> permit 192.168.1.0 0.0.0.255 any
--> permit 192.168.10.0 0.0.0.255 any
--> permit 192.168.20.0 0.0.0.255 any
--> permit 192.168.30.0 0.0.0.255 any
--> permit 192.168.40.0 0.0.0.255 any
--> permit 192.168.50.0 0.0.0.255 any
--> permit 192.168.101.0 0.0.0.255 any
!
--> ip access-list extended NAT_HAIRPIN_ACL
--> permit ip 192.168.1.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.10.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.20.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.30.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.40.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.50.0 0.0.0.255 host 192.168.30.3
--> permit ip 192.168.101.0 0.0.0.255 host 192.168.30.3
!
--> route-map PBR_NAT_RM permit 10
set interface Loopback100
!
control-plane
!
mgcp profile default
!
gatekeeper
shutdown
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport input ssh
line vty 5 15
login local
transport input all
!
scheduler allocate 20000 1000
end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
