Loopback NAT

ValeriyBaybekov · ‎10-29-2020

Hello everyone, i need to configure loopback(hairpin) NAT. If i understand correct i should be able to connect or do ping to my server in my private network from global network(wan). On my screenshot below i configured a simple test network in PT. There are my local server behind router with global IP and an imitation of WAN, also i configured RIP routing beetwen those networks.

Please, explain how does it work and how i might to configure this thing.

Georg Pauwen · ‎10-29-2020

Hello,

just to be sure that you are not confusing things: NAT hairpinning means that an internal server is available via the public IP address, even when traffic originates on the private LAN. Is this what you want ?

ValeriyBaybekov · ‎10-29-2020

Thank you for your answer.

>> an internal server is available via the public IP address, even when traffic originates on the private LAN
yes, thats correct, actually i was confusing, but now you made it clear for me.
I need to connect on my Server in LAN from PC in same LAN via Global IP.

For better explanation here is an image. I need to have access on 192.168.1.2:80 via global IP 1.1.1.1 from 192.168.1.10

paul driver · ‎10-29-2020

Hello
Yes you can do haripin nat for this or you should be able t use domain-less pat which would achieve the same result however it can be resource intensive on the rtr but you could try it and check as it the most easiest way to achieve what you want

Example:
Int x/x
lan facing
no ip nat inside
ip nat enable

Int x/x
wan facing
no ip nat outside
ip nat enable

ip nat source static tcp <internal server> 80 <nat address> 80
ip nat source list x interface<wan interface>

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎10-29-2020

friend config DNS and make host in LAN get ip address from the DNS with public ip not private ip address.

paul driver · ‎10-29-2020

Hello @MHM Cisco World "make host in LAN get ip address from the DNS with public ip not private ip address."
This is what the OP wants to do, access the webserver via its public natted address,However just changing a A host record in DNS wont be enough, I would say you would still need to use hairpin nat or NVI nat ( domain-less nat) so the rtr can perform dual rib lookups, Once before translation towards NVI interface and then again after to route towards the translatied address.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ValeriyBaybekov · ‎10-29-2020

Paul, thank you for your answer.

I need configure that like @Georg Pauwen described.
I should be able to connect from my local pc on my local web-server via global ip.
Like in screenshot below.

paul driver · ‎10-29-2020

Hello
Okay so try first of all NVI NAT
Follow the example I previously provided

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ValeriyBaybekov · ‎10-29-2020

Look what i've got. Does that mean that something blocks connection? Should i dig into ACL?

Georg Pauwen · ‎10-30-2020

Hello,

are you trying to do this in Packet Tracer ? Not sure if PT supports that. Post the zipped Packet Tracer project (.pkt) file.

ValeriyBaybekov · ‎10-30-2020

Sure

Georg Pauwen · ‎10-30-2020

Hello,

unfortunately PT misses the commands to configure this. You need route maps and/or domainless NAT, as Paul suggested, but neither are available in Packet Tracer.

Either way, the config would look like below:

interface Loopback1
description NAT-HAIRPIN
ip address 169.254.1.1 255.255.255.255
ip nat inside
!
route-map PBR-HAIRPIN permit 10
set interface Loopback1
!
ip access-list extended ACL-HAIRPIN
permit ip 172.116.50.0 0.0.0.255 host 172.16.50.228
!
ip access-list extended ACL-NAT
deny ip 172.16.50.0 0.0.0.255 172.16.50.0 0.0.0.255
permit ip 172.16.50.0 0.0.0.255 any
!
interface GigabitEthernet4/0
ip address 1.1.1.1 255.255.255.0
ip nat outside
!
interface GigabitEthernet5/0
description LAN
ip address 172.16.50.1 255.255.255.0
ip nat outside
ip policy route-map PBR-HAIRPIN
!
ip nat inside source list ACL-NAT interface GigabitEthernet4/0 overload
ip nat inside source list ACL-HAIRPIN interface Loopback1 overlaod
ip nat inside source static tcp 172.116.50.228 80 interface GigabitEthernet4/0 80

ValeriyBaybekov · ‎10-30-2020

Ok, will try something, many thanks to you @Georg Pauwen, @paul driver