Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
1
Helpful
1
Replies

NAT Hairpinning without NVI on ISR C1111

martinnigsch
Level 1
Level 1

‎08-07-2023 09:42 AM

Hi all,

I had a NAT setup with hairpinning that I liked, but can't replicate it on my new router that doesn't have NVI any more. I tried now to do the most basic, simple setup -- starting from scratch with a new router and one new device. Still, with the "legacy" way of doing NAT w/hairpinning, I can't get it to work. 

Could you please assist me? The goal is as follows:

  • One public IP on Gig0/0/0 that'll be 12.12.12.33
  • Several devices connected via Gig0/1/6 receiving an IP address from the range 192.168.1.10 - 192.168.1.254
    • The devices should be able to connect to the internet by all using the 12.12.12.33 address (if it helps, there'd be also the IP adress 12.12.12.34 available for NAT on the same interface Gig0/0/0

Really -- nothing special. My OS Version is 17.6 -- as just by browsing manuals and this forum, I can't get it to work, I think it'd be worthwile to debug my config here and document a working version for this OS Version once and for good. Sorry for the re-annoyance ........

Below is my config:

 

Mon Aug 07 2023 18:29:56 GMT+0200 (Central European Summer Time)
===================================================================================
#show run
Building configuration...
Current configuration : 8060 bytes
!
! Last configuration change at 16:19:05 UTC Mon Aug 7 2023 by admin
!
version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
!
!
!
!
!
ip dhcp use subscriber-id client-id
ip dhcp subscriber-id interface-name
ip dhcp excluded-address 192.168.1.0 192.168.1.10
ip dhcp excluded-address 192.168.1.255 255.255.255.255
!
ip dhcp pool base
 network 192.168.1.0 255.255.255.0
 dns-server X.X.X.X Y.Y.Y.Y
 default-router 192.168.1.1 
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
! 
! 
! 
! 
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
no license feature hseck9
license udi pid C1111-8P sn FCZ2631R3G1
license boot suite FoundationSuiteK9
license boot level appxk9
license boot level uck9
license boot level securityk9
memory free low-watermark processor 70210
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
redundancy
 mode none
!
!
!
!
!
!
vlan internal allocation policy ascending
!
!
! 
!
!
!
!
!
!
!
!
!
!
!
! 
! 
!
!
interface Loopback0
 ip address 169.254.255.254 255.255.255.255
 ip nat inside
!
interface GigabitEthernet0/0/0
 ip address 12.12.12.33 255.255.255.248
 no ip redirects
 negotiation auto
 spanning-tree portfast trunk
!
interface GigabitEthernet0/0/1
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
 switchport mode access
!
interface GigabitEthernet0/1/7
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip nat inside
!
interface Vlan60
 no ip address
 ip nat outside
 ip policy route-map PBR
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip nat inside source list Hairpin-NAT interface GigabitEthernet0/0/0 overload
ip nat inside source list Public-NAT interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 45.152.53.38
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
!
!
ip access-list extended Hairpin-NAT
 20 permit ip 192.168.1.0 0.0.0.255 host 192.168.1.1
ip access-list extended Public-NAT
 10 deny   ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
 20 permit ip 192.168.1.0 0.0.0.255 any
!
ip access-list standard 1
 10 permit 12.12.12.33
 20 permit 192.168.1.0 0.0.0.255
 30 permit any
!
route-map PBR permit 10 
 set interface Loopback0
!
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
!
end

 

 

0 Helpful
1 Reply 1

Peter Paluch
Cisco Employee
Cisco Employee

‎08-17-2023 06:26 PM

Hello Martin,

It's been a while since I've tried this : ) But let me see...

Looking at your configuration, I believe you have a few mistakes and a few unclear spots for me there.

1. You said you are attempting to do a hairpin NAT but from your configuration, I cannot determine which interface is the hairpinning interface - the one that effectively needs to be both NAT inside and outside at the same time. To me, it seems that the inside hosts are behind interface Vlan1 and the outside world is behind Gi0/0/0 - but that is not a hairpinning NAT, just a classic NAT/PAT. Can you please clarify?

2. Your outside NAT interface is Vlan60 but that one does not have any IP address configured. That doesn't quite make sense. From your configuration, I'm getting the feeling that the "WAN" interface is Gi0/0/0 and that one should be configured as NAT outside - yet it isn't.

3. Likewise, the PBR policy to force the incoming traffic through the Loopback is applied to interface Vlan60 but since that one is without an IP address, the configuration can never work. Can you clarify what was the intent here?

4. Your default route is configured twice, once through a next-hop IP address which does not seem to be reachable as you do not have any interface with a directly attached 45.152.53.x network, and second through Gi0/0/0 without a next-hop address which is a huge no-no (in short - massive ARP traffic, massive ARP cache, massive CEF adjacency table, and a complete dependency on the upstream router having Proxy ARP enabled). You should never configure a static route pointing out an Ethernet interface without specifying the next-hop interface.

Perhaps we should start by clarifying whether you have a case for a hairpin NAT at all, and continue from there. Would you be so kind to respond to the questions above and clarify what is - to your expectation - the interface in the inside private part of the network, and what is the interface with the global public addresses?

Best regards,
Peter

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card