06-15-2024 11:58 PM - edited 06-16-2024 11:54 PM
I'm trying to configure NAT Hairpinning (accessing internal address via external address from another internal address)
Can anyone find errors on my configuration? I'm beginning to suspect it might be a DNS server issue.
Thank you all in advance.
ip name-server 192.168.2.4 8.8.8.8
ip domain name test.com
!
interface GigabitEthernet0/0/0
description internet
ip address 202.202.202.2 255.255.255.248
ip nat outside
ip nbar protocol-discovery
ip policy route-map Hairpin
negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip nbar protocol-discovery
ip access-group Local in
negotiation auto
!
interface GigabitEthernet0/0/1.10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
ip nat inside source static tcp 192.168.2.50 80 202.202.202.2 80 extendable
ip nat inside source static tcp 192.168.2.154 502 interface GigabitEthernet0/0/0 502
ip nat inside source list HAIRPIN interface GigabitEthernet0/0/0 overload
ip nat inside source list Local interface GigabitEthernet0/0/0 overload
no ip forward-protocol nd
ip http server
ip http port 8080
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 202.202.202.1
!
ip ssh version 2
!
!
ip access-list standard Local
permit 192.168.2.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
!
ip access-list extended HAIRPIN
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!
!
route-map Hairpin permit 10
match ip address HAIRPIN
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login local
length 0
transport input ssh
line vty 5 15
login local
transport input ssh
!
!
!
!
!
!
end
06-16-2024 04:28 AM
Hairpin must config in these below steps
1- interface let called it OUT config as ip nat outside
2- interface let called it IN config as ip nat inside and config with route-map direct traffic to interface Hairpin
3-interface let called it Hairpin config as ip nat enable (it not Inside not outside)
4- NAT traffic from IN to Hairpin
that all
MHM
06-16-2024 08:33 PM - edited 06-16-2024 10:57 PM
I moved Hairpin nat to inside, problem persists. Also "ip nat enable" does not exist on ISR4331. More suggestions please?
06-17-2024 01:18 AM
Sorry for that I will make check I know one other way but I need to test it first
Thanks for waiting
MHM
06-16-2024 06:25 AM - edited 06-16-2024 06:25 AM
Hello @erdene
Test the hairpinning functionality by attempting to access internal resources using their external IP addresses from internal hosts. Monitor for any error messages, logs, or packet drops that may indicate issues with NAT translations, ACLs, or routing.
Use debugging commands like debug ip nat / debug ip packet to troubleshoot NAT translations and packet flows in real-time. Exercise caution when enabling debugging in production environments to avoid excessive logging and performance impact.
06-17-2024 01:44 AM
Hello
@erdene wrote:
I moved Hairpin nat to inside, problem persists. Also "ip nat enable" does not exist on ISR4331. More suggestions please?
Try this attach file for domain nat regards hairpin
06-17-2024 09:01 PM
Hello Paul,
This configuration is really interesting. But, as ISR4331 does not recognize "ip nat enable" line. In my understanding it's configured using inside and outside interface. Do you have workaround?
Thank you
06-18-2024 02:25 AM
Hello
@erdene wrote:This configuration is really interesting. But, as ISR4331 does not recognize "ip nat enable" line. In my understanding it's configured using inside and outside interface. Do you have workaround?
Humm... FYI I had already removed the first post pertaining to domainless nat , and added a new post with domain-nat , the attached clearly show this, follow that attachment and hairpin should work accordingly
06-19-2024 04:44 AM
You need ip nat enabled to re-NAT i.e. Double NAT
In your case I dont think you need that
So what @paul driver suggest is correct
Check his attach file
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide