cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
445
Views
10
Helpful
12
Replies
ValeriyBaybekov
Beginner

Loopback NAT

Hello everyone, i need to configure loopback(hairpin) NAT. If i understand correct i should be able to connect or do ping to my server in my private network from global network(wan). On my screenshot below i configured a simple test network in PT. There are my local server behind router with global IP and an imitation of WAN, also i configured RIP routing beetwen those networks.

Please, explain how does it work and how i might to configure this thing.

 

12 REPLIES 12
Georg Pauwen
VIP Expert

Hello,

 

just to be sure that you are not confusing things: NAT hairpinning means that an internal server is available via the public IP address, even when traffic originates on the private LAN. Is this what you want ?

Thank you for your answer.

>> an internal server is available via the public IP address, even when traffic originates on the private LAN
yes, thats correct, actually i was confusing, but now you made it clear for me.
I need to connect on my Server in LAN from PC in same LAN via Global IP.

For better explanation here is an image. I need to have access on 192.168.1.2:80 via global IP 1.1.1.1 from 192.168.1.10

paul driver
VIP Mentor

Hello
Yes you can do haripin nat for this or you should be able t use domain-less pat which would achieve the same result however it can be resource intensive on the rtr but you could try it and check as it the most easiest way to achieve what you want

 

Example:
Int x/x
lan facing
no ip nat inside
ip nat enable

Int x/x
wan facing
no ip nat outside
ip nat enable


ip nat source static tcp <internal server> 80 <nat address> 80
ip nat source list x interface<wan interface>



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
MHM Cisco World
Collaborator

friend config DNS and make host in LAN get ip address from the DNS with public ip not private ip address.

Hello @MHM Cisco World  "make host in LAN get ip address from the DNS with public ip not private ip address."
This is what the OP wants to do, access the webserver via its public natted address,However just changing a A host record in DNS wont be enough, I would say you would still need to use hairpin nat or NVI nat ( domain-less nat) so the rtr can perform dual rib lookups, Once before translation towards NVI interface and then again after to route towards the translatied address.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

Paul, thank you for your answer.

I need configure that like @Georg Pauwen described.
I should be able to connect from my local pc on my local web-server via global ip. 
Like in screenshot below.

Hello
Okay so try first of all NVI NAT
Follow the example I previously provided



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

Look what i've got. Does that mean that something blocks connection? Should i dig into ACL?

qwer.png

qwert.png

Hello,

 

are you trying to do this in Packet Tracer ? Not sure if PT supports that. Post the zipped Packet Tracer project (.pkt) file.

Sure

Hello,

 

unfortunately PT misses the commands to configure this. You need route maps and/or domainless NAT, as Paul suggested, but neither are available in Packet Tracer.

 

Either way, the config would look like below:

 

interface Loopback1
description NAT-HAIRPIN
ip address 169.254.1.1 255.255.255.255
ip nat inside
!
route-map PBR-HAIRPIN permit 10
set interface Loopback1
!
ip access-list extended ACL-HAIRPIN
permit ip 172.116.50.0 0.0.0.255 host 172.16.50.228
!
ip access-list extended ACL-NAT
deny ip 172.16.50.0 0.0.0.255 172.16.50.0 0.0.0.255
permit ip 172.16.50.0 0.0.0.255 any
!
interface GigabitEthernet4/0
ip address 1.1.1.1 255.255.255.0
ip nat outside
!
interface GigabitEthernet5/0
description LAN
ip address 172.16.50.1 255.255.255.0
ip nat outside
ip policy route-map PBR-HAIRPIN
!
ip nat inside source list ACL-NAT interface GigabitEthernet4/0 overload
ip nat inside source list ACL-HAIRPIN interface Loopback1 overlaod
ip nat inside source static tcp 172.116.50.228 80 interface GigabitEthernet4/0 80

 

 

Ok, will try something, many thanks to you @Georg Pauwen@paul driver