Hello everyone, i need to configure loopback(hairpin) NAT. If i understand correct i should be able to connect or do ping to my server in my private network from global network(wan). On my screenshot below i configured a simple test network in PT. There are my local server behind router with global IP and an imitation of WAN, also i configured RIP routing beetwen those networks.
Please, explain how does it work and how i might to configure this thing.
just to be sure that you are not confusing things: NAT hairpinning means that an internal server is available via the public IP address, even when traffic originates on the private LAN. Is this what you want ?
Thank you for your answer.
>> an internal server is available via the public IP address, even when traffic originates on the private LAN
yes, thats correct, actually i was confusing, but now you made it clear for me.
I need to connect on my Server in LAN from PC in same LAN via Global IP.
For better explanation here is an image. I need to have access on 192.168.1.2:80 via global IP 184.108.40.206 from 192.168.1.10
Yes you can do haripin nat for this or you should be able t use domain-less pat which would achieve the same result however it can be resource intensive on the rtr but you could try it and check as it the most easiest way to achieve what you want
no ip nat inside
ip nat enable
no ip nat outside
ip nat enable
ip nat source static tcp <internal server> 80 <nat address> 80
ip nat source list x interface<wan interface>
Hello @MHM Cisco World "make host in LAN get ip address from the DNS with public ip not private ip address."
This is what the OP wants to do, access the webserver via its public natted address,However just changing a A host record in DNS wont be enough, I would say you would still need to use hairpin nat or NVI nat ( domain-less nat) so the rtr can perform dual rib lookups, Once before translation towards NVI interface and then again after to route towards the translatied address.
Paul, thank you for your answer.
I need configure that like @Georg Pauwen described.
I should be able to connect from my local pc on my local web-server via global ip.
Like in screenshot below.
Okay so try first of all NVI NAT
Follow the example I previously provided
are you trying to do this in Packet Tracer ? Not sure if PT supports that. Post the zipped Packet Tracer project (.pkt) file.
unfortunately PT misses the commands to configure this. You need route maps and/or domainless NAT, as Paul suggested, but neither are available in Packet Tracer.
Either way, the config would look like below:
ip address 169.254.1.1 255.255.255.255
ip nat inside
route-map PBR-HAIRPIN permit 10
set interface Loopback1
ip access-list extended ACL-HAIRPIN
permit ip 220.127.116.11 0.0.0.255 host 172.16.50.228
ip access-list extended ACL-NAT
deny ip 172.16.50.0 0.0.0.255 172.16.50.0 0.0.0.255
permit ip 172.16.50.0 0.0.0.255 any
ip address 18.104.22.168 255.255.255.0
ip nat outside
ip address 172.16.50.1 255.255.255.0
ip nat outside
ip policy route-map PBR-HAIRPIN
ip nat inside source list ACL-NAT interface GigabitEthernet4/0 overload
ip nat inside source list ACL-HAIRPIN interface Loopback1 overlaod
ip nat inside source static tcp 22.214.171.124 80 interface GigabitEthernet4/0 80