03-06-2021 12:12 AM - edited 03-06-2021 12:16 AM
hello, all this is my topology:
R7, R8, and R9 are virtual machines inside the network
and they have a default route to the switch and the switch has a default route to the Router.
this Is the routers config:
!
hostname Router
!
interface Loopback1
no shutdown
ip address 11.1.1.1 255.255.255.255
!
interface Loopback2
no shutdown
ip address 22.2.2.2 255.255.255.255
!
interface GigabitEthernet1
no shutdown
ip address 10.1.1.2 255.255.255.252
ip nat inside
!
interface GigabitEthernet2
no shutdown
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1
!
ip access-list standard NAT
permit 10.1.0.0 0.0.255.255
!
ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
ip nat inside source list NAT interface GigabitEthernet2 overload
!
this is it.
now when I access R7 from the internet with the 11.1.1.1 address it works ok and if access R8 from the internet with the 22.2.2.2 address it works fine as well.
but when I want to access R8 from R7 with 22.2.2.2 address it doesn't work and vice versa.
so I want to fix this issue i and I have looked into different solutions but none has worked so far like NVI with it is not supported on IOS-XE or Hairpin Nat witch also doesn't work.
I need your help.
Solved! Go to Solution.
03-06-2021 06:24 AM - edited 03-06-2021 06:25 AM
!
interface Loopback0
ip address 169.254.1.1 255.255.255.255
ip nat inside
!
interface Loopback1
ip address 11.1.1.1 255.255.255.255
ip nat outside
!
interface Loopback2
ip address 22.2.2.2 255.255.255.255
ip nat outside
!
interface GigabitEthernet1
ip address 10.1.1.2 255.255.255.252
ip nat outside
ip policy route-map PBR_NAT_RM
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 1.1.1.2 255.255.255.252
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
!
ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
ip nat inside source list NAT_ACL interface GigabitEthernet2 overload
ip nat inside source list NAT_HAIRPIN_ACL interface Loopback0 overload
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1
!
!
ip access-list extended NAT_ACL
deny ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
permit ip 10.1.0.0 0.0.255.255 any
ip access-list extended NAT_HAIRPIN_ACL
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.7
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.8
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.9
!
!
!
route-map PBR_NAT_RM permit 10
set interface Loopback0
!
03-06-2021 06:48 AM
Hello,
make the changes marked in bold. Also, how are you testing this ? The hairpinning works only for TCP port 23 (telnet), so are you telnetting to test ?
interface Loopback0
ip address 169.254.1.1 255.255.255.255
ip nat inside
!
interface Loopback1
ip address 11.1.1.1 255.255.255.255
--> no ip nat outside
!
interface Loopback2
ip address 22.2.2.2 255.255.255.255
--> no ip nat outside
!
interface GigabitEthernet1
ip address 10.1.1.2 255.255.255.252
ip nat outside
ip policy route-map PBR_NAT_RM
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 1.1.1.2 255.255.255.252
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
ip nat inside source list NAT_ACL interface GigabitEthernet2 overload
ip nat inside source list NAT_HAIRPIN_ACL interface Loopback0 overload
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1
!
ip access-list extended NAT_ACL
deny ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
permit ip 10.1.0.0 0.0.255.255 any
!
ip access-list extended NAT_HAIRPIN_ACL
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.7
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.8
permit ip 10.1.0.0 0.0.255.255 host 10.1.2.9
!
route-map PBR_NAT_RM permit 10
set interface Loopback0
03-06-2021 11:45 PM
Hello,
this is not an error, just a warning. So with 'debug ip policy' and telnetting to the translated address, there is no debug output at all ?
03-07-2021 12:53 AM
yep that is correct
03-09-2021 03:57 AM
hello,
could you find a solution to this problem.
03-06-2021 03:38 AM - edited 03-06-2021 04:25 PM
...
03-06-2021 04:16 AM
ip nat enable doesn't work on IOS-XE devices
03-06-2021 04:31 AM
OK,
default route toward SW ?
what is the next-hop you use in virtual router ? is it SVI of SW?
03-06-2021 04:42 AM - edited 03-06-2021 04:42 AM
this is the path:
R7---DefaluGW--> SW SVI VLAN 10 ---Static Route to router Gi1---> Router ---Static Route to INTERNET GI1--->INTERNET
03-06-2021 04:46 AM
R7 have a routing capability ?
if yes then it will not full use the DGW.
no ip routing in R7 will solve the issue of interconnect between the virtual router.
NOTE:- ip routing must be config in SW.
03-06-2021 05:45 AM
it is enabled on the SW but even if I use virtual machines instead of routers on R7 it still won't work
03-06-2021 05:49 AM - edited 03-06-2021 04:24 PM
...
03-06-2021 06:02 AM - edited 03-06-2021 04:24 PM
...
03-06-2021 06:18 AM
03-06-2021 06:32 AM - edited 03-06-2021 04:24 PM
..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide