Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1056
Views
5
Helpful
6
Replies

NAT / Hairpinning / NVI

Go to solution
martinnigsch
Level 1
Level 1

‎09-19-2022 01:46 AM - last edited on ‎09-26-2022 11:01 AM by Community Manager

Hi all,

Despite multiple discussions on NAT / Hairpinning / NVI I don't seem to really get it. What I want to do is the following: 

 * I've got a server at 192.168.1.240:80 and :443 running which I'd like to NAT to a

 static outside IP (XXX.XXX.XXX.XXX)

 * I'd like to be capable from the internal subnet 192.168.1.* to get to the above internal server by doing

curl -L https://XXX.XXX.XXX.XXX:443 and be re-routed (NATed) to 192.168.1.240

Somehow I've got something wrong -- also I'm not sure I've get up NVI NAT correctly. Any assistance would be greatly appreciated. 

Please find below my configuration. 

 

Current configuration : 3597 bytes

!

! Last configuration change at 22:02:56 CEST Sun Sep 18 2022 by admin

! NVRAM config last updated at 22:05:15 CEST Sun Sep 18 2022 by admin

!

version 15.8

service timestamps debug datetime msec localtime show-timezone year

service timestamps log datetime msec

no service password-encryption

!

hostname k7b

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 **********************

!

no aaa new-model

clock timezone CET 1 0

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

!

!

!

!

!

!

!

!

ip dhcp excluded-address 192.168.1.1 192.168.1.10

ip dhcp excluded-address 192.168.1.240 192.168.1.250

!

ip dhcp pool base

 network 192.168.1.0 255.255.255.0

 default-router 192.168.1.1 

 dns-server yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy 

!

ip dhcp pool alien

 host 192.168.1.100 255.255.255.0

 client-identifier ****.****.****.**

 client-name alien

!

ip dhcp pool nfs

 host 192.168.1.101 255.255.255.0

 client-identifier ****.****.****.**

 client-name nfs

!

ip dhcp pool merkur

 host 192.168.1.102 255.255.255.0

 client-identifier ****.****.****.**

 client-name merkur

!

!

! 

!

ip domain name example.com

ip cef

no ipv6 cef

multilink bundle-name authenticated

!

!

!

license udi pid C931-4P sn *******

!

!

username admin password 0 ********

!

redundancy

!

!

!

!

!

!

interface GigabitEthernet0

 switchport mode trunk

 no ip address

!

interface GigabitEthernet1

 switchport mode access

 no ip address

!

interface GigabitEthernet2

 no ip address

!

interface GigabitEthernet3

 no ip address

!

interface GigabitEthernet4

 ip dhcp client client-id ascii k7b

 ip address dhcp

 ip nat outside

 ip virtual-reassembly in

 duplex auto

 speed auto

!

interface GigabitEthernet5

 no ip address

shutdown

 duplex auto

 speed auto

!

interface Vlan1

 ip address 192.168.1.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

!

interface Vlan10

 ip address 192.168.0.1 255.255.255.0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat pool base 192.168.1.0 192.168.200.255 netmask 255.255.0.0

ip nat inside source list 1 interface GigabitEthernet4 overload

ip nat inside source static tcp 192.168.1.240 80 XXX.XXX.XXX.XXX 80 extendable

ip nat inside source static tcp 192.168.1.240 443 XXX.XXX.XXX.XXX 443 extendable

ip nat inside source static tcp 192.168.1.100 22 XXX.XXX.XXX.XXX 2222 extendable

ip nat inside source static tcp 192.168.1.102 6443 XXX.XXX.XXX.XXX 6443 extendable

ip nat inside source static tcp 192.168.1.99 80 XXX.XXX.XXX.XXX 7777 extendable

ip nat inside source static tcp 192.168.1.101 21 XXX.XXX.XXX.XXX 8989 extendable

ip nat inside source static tcp 192.168.1.101 20 XXX.XXX.XXX.XXX 50020 extendable

ip nat inside source static tcp 192.168.1.101 21 XXX.XXX.XXX.XXX 50021 extendable

ip nat inside source static tcp 192.168.1.101 80 XXX.XXX.XXX.XXX 50080 extendable

ip nat inside source static tcp 192.168.1.101 8543 XXX.XXX.XXX.XXX 58543 extendable

ip route 192.168.5.100 255.255.255.255 192.168.1.100

ip ssh version 2

!

!

!

access-list 1 permit XXX.XXX.XXX.XXX

access-list 1 permit 192.168.100.100

access-list 1 permit 192.168.1.0 0.0.0.255

!

control-plane

!

!

line con 0

line vty 0 4

 login local

 transport input ssh

!

scheduler allocate 20000 1000

ntp server 0.at.pool.ntp.org minpoll 10

!

end
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
paul driver
VIP
VIP
In response to martinnigsch

‎09-26-2022 10:01 AM - last edited on ‎09-26-2022 11:07 AM by Community Manager

Hello
Try the following:



no access-list 1
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet4
access-list 1 deny host 192.168.1.99
access-list 1 deny host 192.168.1.100
access-list 1 deny host 192.168.1.101
access-list 1 deny host 192.168.1.240
access-list 1 permit 192.168.1.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 GigabitEthernet4 dhcp




Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Go to solution
paul driver
VIP
VIP
In response to martinnigsch

‎09-26-2022 03:09 PM

Hello

NVI nat (domainless nat -  no inside/outside domains) and using this changes the what NAT works, as now two routing decisions are made
Before and after translation, which is different from the “Old” legacy nat order of operation in domain nat and thus made harpininng much easier to work upon implementation/

The default route was set to arp for every host that’s not local to site plus it required the DHCP appended so the router would obtain the next hop wan ip address

Lasty the access-list required changing so the rtr would refine from using those specific hosts to for dynamic nat, I would say if you required further dynamic allocation based on a specific host within that access-list


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
6 Replies 6

Go to solution
MHM Cisco World
VIP
VIP

‎09-19-2022 03:11 AM - last edited on ‎09-26-2022 11:02 AM by Community Manager

but the core of NVI is using 


ip nat enable 
no more ip nat inside and ip nat outside 
0 Helpful

Go to solution
martinnigsch
Level 1
Level 1
In response to MHM Cisco World

‎09-26-2022 09:27 AM - last edited on ‎09-26-2022 11:06 AM by Community Manager 

Hello, thanks for the reply -- I got confused with different blog posts. 

I've updated my configuration to use ip nat enable and turn off ip nat inside and ip nat outside; however, I notice two things. 

1) basic NAT works, but internet access behind the nat (192.168.1.xxx) is very slow for buildup -- I seem to have introduced some kind of confusion in there. 

2) hairpinning doesn't work. no access possible from 192.168.1.xxx to XXX.XXX.XXX.XXX as from outside. Any idea how to fix that?

Below my updated (much simpler) configuration. 

 

version 15.8

service timestamps debug datetime msec localtime show-timezone year

service timestamps log datetime msec

no service password-encryption

!

hostname k7b

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 $1$2iKo$llXBSoO8.MJ653mk/gWuG.

!

no aaa new-model

clock timezone CET 1 0

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

!

!

!

!

!

!

!

!

ip dhcp excluded-address 192.168.1.1 192.168.1.10

ip dhcp excluded-address 192.168.1.240 192.168.1.250

!

ip dhcp pool base

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 185.67.172.25 185.67.172.26

!

ip dhcp pool alien

host 192.168.1.100 255.255.255.0

client-identifier 0130.d042.e15a.1e

client-name alien

!

!

!

no ip cef

no ipv6 cef

multilink bundle-name authenticated

!

!

!

license udi pid C931-4P sn PSZ23471M4K

!

!

username admin password 0 ********

!

redundancy

!

!

!

!

!

!

interface GigabitEthernet0

switchport mode access

no ip address

!

interface GigabitEthernet1

switchport mode access

no ip address

!

interface GigabitEthernet2

no ip address

!

interface GigabitEthernet3

no ip address

!

interface GigabitEthernet4

ip dhcp client client-id ascii k7b

ip address dhcp

no ip redirects

ip nat enable

duplex auto

speed auto

!

interface GigabitEthernet5

no ip address

shutdown

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

no ip redirects

ip nat enable

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat source list 1 interface GigabitEthernet4 overload

ip nat source static tcp 192.168.1.240 80 XXX.XXX.XXX.XXX 80 extendable

ip nat source static tcp 192.168.1.240 443 XXX.XXX.XXX.XXX 443 extendable

ip nat source static tcp 192.168.1.100 22 XXX.XXX.XXX.XXX 2222 extendable

ip nat source static tcp 192.168.1.99 80 XXX.XXX.XXX.XXX 7777 extendable

ip nat source static tcp 192.168.1.101 21 XXX.XXX.XXX.XXX 8989 extendable

ip nat source static tcp 192.168.1.101 20 XXX.XXX.XXX.XXX 50020 extendable

ip nat source static tcp 192.168.1.101 21 XXX.XXX.XXX.XXX 50021 extendable

ip nat source static tcp 192.168.1.101 80 XXX.XXX.XXX.XXX 50080 extendable

ip nat source static tcp 192.168.1.101 8543 XXX.XXX.XXX.XXX 58543 extendable

ip route 0.0.0.0 0.0.0.0 GigabitEthernet4

ip ssh version 2

!

!

!

access-list 1 permit XXX.XXX.XXX.XXX

access-list 1 permit 192.168.100.100

access-list 1 permit 192.168.1.0 0.0.0.255

!

control-plane

!

!

line con 0

line vty 0 4

login local

transport input ssh

!

scheduler allocate 20000 1000

ntp server 0.at.pool.ntp.org minpoll 10

!

end
0 Helpful

Go to solution
paul driver
VIP
VIP
In response to martinnigsch

‎09-26-2022 10:01 AM - last edited on ‎09-26-2022 11:07 AM by Community Manager

Hello
Try the following:



no access-list 1
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet4
access-list 1 deny host 192.168.1.99
access-list 1 deny host 192.168.1.100
access-list 1 deny host 192.168.1.101
access-list 1 deny host 192.168.1.240
access-list 1 permit 192.168.1.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 GigabitEthernet4 dhcp




Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
martinnigsch
Level 1
Level 1
In response to paul driver

‎09-26-2022 10:20 AM

Hi Paul,

 

Great stuff, thanks a lot! It works -- but I've got no clue really what the mistake was that I was making could you explain maybe in a few words what the (obvious? ) mistakes were that I've made?

Thanks a lot!
Martin

 

Here, for reference for the community, the working NAT / NVI / hairpinning solution for running a server behind a cisco router with Nat. 

 

Current configuration : 3277 bytes

!

! Last configuration change at 19:14:24 CEST Mon Sep 26 2022 by admin

! NVRAM config last updated at 22:05:15 CEST Sun Sep 18 2022 by admin

!

version 15.8

service timestamps debug datetime msec localtime show-timezone year

service timestamps log datetime msec

no service password-encryption

!

hostname k7b

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 ****

!

no aaa new-model

clock timezone CET 1 0

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

!

!

!

!

!

!

!

!

ip dhcp excluded-address 192.168.1.1 192.168.1.10

ip dhcp excluded-address 192.168.1.240 192.168.1.250

!

ip dhcp pool base

 network 192.168.1.0 255.255.255.0

 default-router 192.168.1.1 

 dns-server 185.67.172.xx 185.67.172.xx 

!

ip dhcp pool alien

 host 192.168.1.100 255.255.255.0

 client-identifier 0130.d042.e15a.1e

 client-name alien

!

ip dhcp pool nfs

 host 192.168.1.101 255.255.255.0

 client-identifier 0100.00c0.3993.ee

 client-name nfs

! 

ip dhcp pool merkur

 host 192.168.1.102 255.255.255.0

 client-identifier ffb6.220f.eb00.0200.00ab.1144.6ab2.36bf.6410.0e

 client-name merkur

!

!

!

no ip cef

no ipv6 cef

multilink bundle-name authenticated

!

!

!

license udi pid C931-4P sn PSZ23471M4K

!

!

username admin password 0 ********

!

redundancy

!

!

!

!

!

!

interface GigabitEthernet0

 switchport mode access

 no ip address

!

interface GigabitEthernet1

 switchport mode access

 no ip address

!

interface GigabitEthernet2

 no ip address

!

interface GigabitEthernet3

 no ip address

!

interface GigabitEthernet4

 ip dhcp client client-id ascii k7b

 ip address dhcp

 no ip redirects

 ip nat enable

 duplex auto

 speed auto

!

interface GigabitEthernet5

 no ip address

shutdown

 duplex auto

 speed auto

!

interface Vlan1

 ip address 192.168.1.1 255.255.255.0

 no ip redirects

 ip nat enable

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat source list 1 interface GigabitEthernet4 overload

ip nat source static tcp 192.168.1.240 80 XXX.XXX.XXX.XXX 80 extendable

ip nat source static tcp 192.168.1.240 443 XXX.XXX.XXX.XXX 443 extendable

ip nat source static tcp 192.168.1.100 22 XXX.XXX.XXX.XXX 2222 extendable

ip nat source static tcp 192.168.1.99 80 XXX.XXX.XXX.XXX 7777 extendable

ip nat source static tcp 192.168.1.101 21 XXX.XXX.XXX.XXX 8989 extendable

ip nat source static tcp 192.168.1.101 20 XXX.XXX.XXX.XXX 50020 extendable

ip nat source static tcp 192.168.1.101 21 XXX.XXX.XXX.XXX 50021 extendable

ip nat source static tcp 192.168.1.101 80 XXX.XXX.XXX.XXX 50080 extendable

ip nat source static tcp 192.168.1.101 8543 XXX.XXX.XXX.XXX 58543 extendable

ip route 0.0.0.0 0.0.0.0 GigabitEthernet4 dhcp

ip ssh version 2

!

!

!

!

access-list 1 deny 192.168.1.99

access-list 1 deny 192.168.1.100

access-list 1 permit 192.168.1.0 0.0.0.255

!

control-plane

!

!

line con 0

line vty 0 4

 login local

 transport input ssh

!

scheduler allocate 20000 1000

ntp server 0.at.pool.ntp.org minpoll 10

!

end
0 Helpful

Go to solution
martinnigsch
Level 1
Level 1
In response to paul driver

‎09-26-2022 01:17 PM

A further problem -- now I can't seem to reach internet via Giga 4 any more from e.g. 192.168.1.100. 

Can I just delete the "access-list 1 deny host 192.168.1.100"? Or do I cause trouble to the NVI nat like so?

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to martinnigsch

‎09-26-2022 03:09 PM

Hello

NVI nat (domainless nat -  no inside/outside domains) and using this changes the what NAT works, as now two routing decisions are made
Before and after translation, which is different from the “Old” legacy nat order of operation in domain nat and thus made harpininng much easier to work upon implementation/

The default route was set to arp for every host that’s not local to site plus it required the DHCP appended so the router would obtain the next hop wan ip address

Lasty the access-list required changing so the rtr would refine from using those specific hosts to for dynamic nat, I would say if you required further dynamic allocation based on a specific host within that access-list


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card