11-26-2011 12:43 PM - edited 03-04-2019 02:25 PM
Hi guys,
I'm trying to configure hairpinning on my Cisco 887VA VDSL router, so all LAN users can connect to the server using SMTP port 25 which is also in the same LAN subnet, using external router address, which is assigned to dialer1 interface.
Traffic comming in from outside works fine.
External IP: 1.1.1.1/29
PC address connecting to the server: 192.168.101.28
Server address: 192.168.101.200
IOS: 15.1.4M1
my config:
!
! Last configuration change at 20:25:23 UTC Sat Nov 26 2011
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot system flash c880data-universalk9-mz.151-4.M1.bin
boot-end-marker
!
!
enable secret xxxxxxxxx
!
aaa new-model
!
!
!
!
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
no ip source-route
!
!
!
!
ip dhcp pool LAN
network 192.168.101.0 255.255.255.0
dns-server 90.90.90.90 91.91.91.91
domain-name domain.com
default-router 192.168.101.1
!
!
ip cef
ip domain name domain.com
no ipv6 cef
!
!
!
username admin privilege 15 secret 5 xxxxxxx
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
interface Ethernet0
no ip address
!
interface Ethernet0.101
description PPPoE bridging from controller VDSL to dialer 1
encapsulation dot1Q 101
ip nat enable
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 192.168.101.1 255.255.255.0
ip nat enable
ip tcp adjust-mss 1452
!
interface Dialer1
mtu 1492
ip address 1.1.1.1 255.255.255.248
no ip redirects
no ip unreachables
ip nat enable
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxx
ppp chap password 0 xxxxxx
ppp direction callout
ppp ipcp header-compression ack
ppp ipcp dns request accept
ppp ipcp address accept
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat pool WAN 1.1.1.1 1.1.1.1 prefix-length 29 add-route
ip nat source list 1 pool WAN overload
ip nat source static tcp 192.168.101.200 25 1.1.1.1 25 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit 192.168.101.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
end
So as I already said, traffic coming from outside to 1.1.1.1:25 goes through fine, but LAN users are unable to connect to 1.1.1.1:25
debug ip nat
*Nov 26 19:31:11.278: NAT: s=192.168.101.28->1.1.1.1, d=1.1.1.1 [22404]
*Nov 26 19:31:11.278: NAT: s=1.1.1.1, d=1.1.1.1->192.168.101.200 [22404]
debug ip packet
*Nov 26 19:31:40.622: IP: s=192.168.101.28 (Vlan1), d=1.1.1.1, len 52, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 26 19:31:40.622: IP: s=192.168.101.28 (Vlan1), d=1.1.1.1, len 52, input feature, MCI Check(67), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 26 19:31:40.622: IP: s=192.168.101.28 (Vlan1), d=1.1.1.1, len 52, input feature, TCP Adjust MSS(69), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 26 19:31:40.622: IP: tableid=0, s=192.168.101.28 (Vlan1), d=1.1.1.1 (Dialer1), routed via RIB
*Nov 26 19:31:40.622: NAT: s=192.168.101.28->1.1.1.1, d=1.1.1.1[22453]
*Nov 26 19:31:40.622: NAT: s=1.1.1.1, d=1.1.1.1->192.168.101.200 [22453]
*Nov 26 19:31:40.622: IP: s=1.1.1.1 (Vlan1), d=192.168.101.200 (Vlan1), len 52, output feature, Post-routing NAT NVI Output(20), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 26 19:31:40.622: IP: Output changed by feature=20: Dialer1 -> Vlan1
*Nov 26 19:31:40.622: IP: s=1.1.1.1 (Vlan1), d=192.168.101.200 (Vlan1), len 52, rcvd local pkt
sh ip route
S* 0.0.0.0/0 is directly connected, Dialer1
82.0.0.0/32 is subnetted, 1 subnets
C 82.153.1.65 is directly connected, Dialer1
192.168.101.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.101.0/24 is directly connected, Vlan1
L 192.168.101.1/32 is directly connected, Vlan1
1.1.1.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/29 is directly connected, Dialer1
L 1.1.1.1/32 is directly connected, Dialer1
I'm running tcpdump on the server on port 25 and... nothing happens. The traffic is not going through.
One thing that I've notices in debug ip packet is this line:
s=1.1.1.1 (Vlan1), d=192.168.101.200 (Vlan1), len 52, rcvd local pkt
shouldn't source be internal vlan1 IP - 192.168.101.1?
I'll appriciate any help or suggestions.
Solved! Go to Solution.
11-26-2011 02:50 PM
Hello Slawomir,
I have encountered connectivity issues with the NVI NAT configuration if the addresses I translated into were actually located in the directly connected networks of the router. What helped, after a tedious search, was to configure no ip redirects on the egress ('outside'-alike) interfaces. There are some strange interactions with the ICMP redirect mechanism and I stumbled across this workaround.
Perhaps this will help you as well - would you mind adding the no ip redirects command to all your IP-enabled interfaces, i.e. E0.101, Vlan1 and Dialer1? Even if it turns out to not solve your issue, it should not do any harm (basically, this command stops sending the ICMP Redirect messages and should allow the router to hairpin any streams).
Best regards,
Peter
11-26-2011 02:50 PM
Hello Slawomir,
I have encountered connectivity issues with the NVI NAT configuration if the addresses I translated into were actually located in the directly connected networks of the router. What helped, after a tedious search, was to configure no ip redirects on the egress ('outside'-alike) interfaces. There are some strange interactions with the ICMP redirect mechanism and I stumbled across this workaround.
Perhaps this will help you as well - would you mind adding the no ip redirects command to all your IP-enabled interfaces, i.e. E0.101, Vlan1 and Dialer1? Even if it turns out to not solve your issue, it should not do any harm (basically, this command stops sending the ICMP Redirect messages and should allow the router to hairpin any streams).
Best regards,
Peter
11-27-2011 01:33 PM
I've tried that and... yes, you were right about no ip redirects.
I would never suspect that this could cause the problem.
Thank you very much for your time and help Peter.
11-27-2011 02:01 PM
Hello Slawomir,
Thank you very much for letting me know. It seems that with NVI style of NAT configuration, it is advisable to deactivate IP ICMP redirects. Thank you for confirming that for me.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide