Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
1230
Views
120
Helpful
38
Replies
n.bokhar1
Beginner
Beginner
‎03-06-2021 12:12 AM
‎03-06-2021 12:12 AM

Nat issue on loopback interface ISR4300

hello, all this is my topology:

 
 

R7, R8, and R9 are virtual machines inside the network

and they have a default route to the switch and the switch has a default route to the Router.

this Is the routers config:

!
hostname Router

!

interface Loopback1
no shutdown
ip address 11.1.1.1 255.255.255.255
!
interface Loopback2
no shutdown
ip address 22.2.2.2 255.255.255.255
!
interface GigabitEthernet1
no shutdown
ip address 10.1.1.2 255.255.255.252
ip nat inside
!
interface GigabitEthernet2
no shutdown
ip address 1.1.1.2 255.255.255.252
ip nat outside
!

ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1

!

ip access-list standard NAT
permit 10.1.0.0 0.0.255.255

!

ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
ip nat inside source list NAT interface GigabitEthernet2 overload

!

 

this is it.

now when I access R7 from the internet with the 11.1.1.1 address it works ok and if access R8 from the internet with the 22.2.2.2 address it works fine as well.

but when I want to access R8 from R7 with 22.2.2.2 address it doesn't work and vice versa.

so I want to fix this issue i and I have looked into different solutions but none has worked so far like NVI with it is not supported on IOS-XE or Hairpin Nat witch also doesn't work.

I need your help.

 

Labels:
38 REPLIES 38
n.bokhar1
Beginner
Beginner
In response to Georg Pauwen
‎03-06-2021 06:24 AM
‎03-06-2021 06:24 AM

!

 

interface Loopback0
ip address 169.254.1.1 255.255.255.255
ip nat inside

!

 

interface Loopback1
ip address 11.1.1.1 255.255.255.255
ip nat outside
!
interface Loopback2
ip address 22.2.2.2 255.255.255.255
ip nat outside
!
interface GigabitEthernet1
ip address 10.1.1.2 255.255.255.252
ip nat outside
ip policy route-map PBR_NAT_RM
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 1.1.1.2 255.255.255.252
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!

!
ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
ip nat inside source list NAT_ACL interface GigabitEthernet2 overload
ip nat inside source list NAT_HAIRPIN_ACL interface Loopback0 overload

!

ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1
!
!
ip access-list extended NAT_ACL
deny ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
permit ip 10.1.0.0 0.0.255.255 any
ip access-list extended NAT_HAIRPIN_ACL

 

permit ip 10.1.0.0 0.0.255.255 host 10.1.2.7
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.8
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.9
!
!
!
route-map PBR_NAT_RM permit 10
set interface Loopback0
!

0 Helpful
Georg Pauwen
VIP Expert VIP Expert
VIP Expert
In response to n.bokhar1
‎03-06-2021 06:48 AM
‎03-06-2021 06:48 AM

Hello,

 

make the changes marked in bold. Also, how are you testing this ? The hairpinning works only for TCP port 23 (telnet), so are you telnetting to test ?

 

interface Loopback0
ip address 169.254.1.1 255.255.255.255
ip nat inside
!
interface Loopback1
ip address 11.1.1.1 255.255.255.255
--> no ip nat outside
!
interface Loopback2
ip address 22.2.2.2 255.255.255.255
--> no ip nat outside
!
interface GigabitEthernet1
ip address 10.1.1.2 255.255.255.252
ip nat outside
ip policy route-map PBR_NAT_RM
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 1.1.1.2 255.255.255.252
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
ip nat inside source list NAT_ACL interface GigabitEthernet2 overload
ip nat inside source list NAT_HAIRPIN_ACL interface Loopback0 overload
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1
!
ip access-list extended NAT_ACL
deny ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
permit ip 10.1.0.0 0.0.255.255 any
!
ip access-list extended NAT_HAIRPIN_ACL
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.7
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.8
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.9
!
route-map PBR_NAT_RM permit 10
set interface Loopback0

Georg Pauwen
VIP Expert VIP Expert
VIP Expert
In response to n.bokhar1
‎03-06-2021 11:45 PM
‎03-06-2021 11:45 PM

Hello,

 

this is not an error, just a warning. So with 'debug ip policy' and telnetting to the translated address, there is no debug output at all ?

n.bokhar1
Beginner
Beginner
In response to Georg Pauwen
‎03-07-2021 12:53 AM
‎03-07-2021 12:53 AM

yep that is correct

 

0 Helpful
n.bokhar1
Beginner
Beginner
In response to Georg Pauwen
‎03-09-2021 03:57 AM
‎03-09-2021 03:57 AM

hello,

 

could you find a solution to this problem.

0 Helpful
MHM Cisco World
Rising star
Rising star
‎03-06-2021 03:38 AM
‎03-06-2021 03:38 AM

...

n.bokhar1
Beginner
Beginner
In response to MHM Cisco World
‎03-06-2021 04:16 AM
‎03-06-2021 04:16 AM

ip nat enable doesn't work on IOS-XE devices

0 Helpful
MHM Cisco World
Rising star
Rising star
‎03-06-2021 04:31 AM
‎03-06-2021 04:31 AM

OK, 
default route toward SW ?
what is the next-hop you use in virtual router ? is it SVI of SW?

n.bokhar1
Beginner
Beginner
In response to MHM Cisco World
‎03-06-2021 04:42 AM
‎03-06-2021 04:42 AM

this is the path:

 

R7---DefaluGW--> SW SVI VLAN 10 ---Static Route to router Gi1---> Router ---Static Route to INTERNET GI1--->INTERNET

 

0 Helpful
MHM Cisco World
Rising star
Rising star
In response to n.bokhar1
‎03-06-2021 04:46 AM
‎03-06-2021 04:46 AM

R7 have a routing capability ?
if yes then it will not full use the DGW.
no ip routing in R7 will solve the issue of interconnect between the virtual router.

NOTE:- ip routing must be config in SW. 

n.bokhar1
Beginner
Beginner
In response to MHM Cisco World
‎03-06-2021 05:45 AM
‎03-06-2021 05:45 AM

it is enabled on the SW but even if I use virtual machines instead of routers on R7 it still won't work

 

0 Helpful
MHM Cisco World
Rising star
Rising star
In response to n.bokhar1
‎03-06-2021 05:49 AM
‎03-06-2021 05:49 AM

...

MHM Cisco World
Rising star
Rising star
In response to n.bokhar1
‎03-06-2021 06:02 AM
‎03-06-2021 06:02 AM

...

n.bokhar1
Beginner
Beginner
In response to MHM Cisco World
‎03-06-2021 06:18 AM
‎03-06-2021 06:18 AM

The NAT is setup on the router
the switch is there to provide basic connectivity
0 Helpful
MHM Cisco World
Rising star
Rising star
In response to n.bokhar1
‎03-06-2021 06:32 AM
‎03-06-2021 06:32 AM

..

Latest Contents
Cisco Wants your Feedback on the Catalyst 2960-L!
Created by caiharve on 04-21-2021 04:27 PM
0
0
0
0
Review the Cisco Catalyst 2960-L Series Switches on TrustRadius and receive a $25 gift card!   
Cisco Wants your Feedback on the Catalyst 9300!
Created by caiharve on 04-21-2021 04:23 PM
0
0
0
0
Review the Cisco Catalyst 9300 Series Switches on TrustRadius and receive a $25 gift card!     
Cisco Wants your Feedback on the Catalyst 9500!
Created by caiharve on 04-21-2021 04:19 PM
0
0
0
0
Review the Cisco Catalyst 9500 Series Switches on TrustRadius and receive a $25 gift card!   
Cisco Wants your Feedback on the NX-OS!
Created by caiharve on 04-21-2021 03:50 PM
0
0
0
0
Review the Cisco NX-OS operating system on TrustRadius and receive a $25 gift card!     
Cisco DNA Software Demo Series - Cisco ThousandEyes
Created by gajewell on 04-20-2021 02:37 PM
0
0
0
0
Cisco DNA Software Demo Series - Cisco ThousandEyesRegister nowWednesday, May 12, 202110:00 am Pacific Daylight Time(San Francisco, GMT-07:00)SaaS applications and cloud-based services are increasingly critical for on-campus users, but they can be challen... view more
Content for Community-Ad