Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
4
Helpful
8
Replies

NAT Hairpinning on ISR4331 with my current configuration doesn't work

erdene
Level 1
Level 1

‎06-15-2024 11:58 PM - edited ‎06-16-2024 11:54 PM

I'm trying to configure NAT Hairpinning (accessing internal address via external address from another internal address)
Can anyone find errors on my configuration? I'm beginning to suspect it might be a DNS server issue.

Thank you all in advance.


ip name-server 192.168.2.4 8.8.8.8
ip domain name test.com
!
interface GigabitEthernet0/0/0
description internet
ip address 202.202.202.2 255.255.255.248
ip nat outside
ip nbar protocol-discovery
ip policy route-map Hairpin
negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip nbar protocol-discovery
ip access-group Local in
negotiation auto
!
interface GigabitEthernet0/0/1.10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
ip nat inside source static tcp 192.168.2.50 80 202.202.202.2 80 extendable
ip nat inside source static tcp 192.168.2.154 502 interface GigabitEthernet0/0/0 502
ip nat inside source list HAIRPIN interface GigabitEthernet0/0/0 overload
ip nat inside source list Local interface GigabitEthernet0/0/0 overload
no ip forward-protocol nd
ip http server
ip http port 8080
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 202.202.202.1
!
ip ssh version 2
!
!
ip access-list standard Local
permit 192.168.2.0 0.0.0.255
permit 192.168.1.0 0.0.0.255

!
ip access-list extended HAIRPIN
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!
!
route-map Hairpin permit 10
match ip address HAIRPIN
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login local
length 0
transport input ssh
line vty 5 15
login local
transport input ssh
!
!
!
!
!
!
end

 

 

0 Helpful
8 Replies 8

MHM Cisco World
VIP
VIP

‎06-16-2024 04:28 AM

Hairpin must config in these below steps 
1- interface let called it OUT config as ip nat outside
2- interface let called it IN config as ip nat inside and config with route-map direct traffic to interface Hairpin 
3-interface let called it Hairpin config as ip nat enable (it not Inside not outside)
4- NAT traffic from IN to Hairpin 

that all 

MHM

0 Helpful

erdene
Level 1
Level 1
In response to MHM Cisco World

‎06-16-2024 08:33 PM - edited ‎06-16-2024 10:57 PM

I moved Hairpin nat to inside, problem persists. Also "ip nat enable" does not exist on ISR4331. More suggestions please?

0 Helpful

MHM Cisco World
VIP
VIP
In response to erdene

‎06-17-2024 01:18 AM

Sorry for that I will make check I know one other way but I need to test it first 

Thanks for waiting 

MHM

M02@rt37
VIP
VIP

‎06-16-2024 06:25 AM - edited ‎06-16-2024 06:25 AM

Hello @erdene 

Test the hairpinning functionality by attempting to access internal resources using their external IP addresses from internal hosts. Monitor for any error messages, logs, or packet drops that may indicate issues with NAT translations, ACLs, or routing.

Use debugging commands like debug ip nat / debug ip packet to troubleshoot NAT translations and packet flows in real-time. Exercise caution when enabling debugging in production environments to avoid excessive logging and performance impact.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

paul driver
VIP
VIP

‎06-17-2024 01:44 AM

Hello

@erdene wrote:

 

I moved Hairpin nat to inside, problem persists. Also "ip nat enable" does not exist on ISR4331. More suggestions please?

Try this attach file for domain nat regards hairpin 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Preview file
1 KB

erdene
Level 1
Level 1
In response to paul driver

‎06-17-2024 09:01 PM

Hello Paul,

This configuration is really interesting. But, as ISR4331 does not recognize "ip nat enable" line. In my understanding it's configured using inside and outside interface. Do you have workaround?

Thank you

0 Helpful

paul driver
VIP
VIP

‎06-18-2024 02:25 AM

Hello

@erdene wrote:

This configuration is really interesting. But, as ISR4331 does not recognize "ip nat enable" line. In my understanding it's configured using inside and outside interface. Do you have workaround?


Humm... FYI I had already removed the first post pertaining to domainless nat , and added a new post with domain-nat , the attached clearly show this, follow that attachment and hairpin should work accordingly


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World
VIP
VIP

‎06-19-2024 04:44 AM

You need ip nat enabled to re-NAT i.e. Double NAT

In your case I dont think you need that 

So what @paul driver suggest is correct

Check his attach file 

MHM

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card