hello, all this is my topology:
R7, R8, and R9 are virtual machines inside the network
and they have a default route to the switch and the switch has a default route to the Router.
this Is the routers config:
ip address 184.108.40.206 255.255.255.255
ip address 220.127.116.11 255.255.255.255
ip address 10.1.1.2 255.255.255.252
ip nat inside
ip address 18.104.22.168 255.255.255.252
ip nat outside
ip route 0.0.0.0 0.0.0.0 22.214.171.124
ip route 10.1.2.0 255.255.255.0 10.1.1.1
ip access-list standard NAT
permit 10.1.0.0 0.0.255.255
ip nat inside source static tcp 10.1.2.7 23 126.96.36.199 233 extendable
ip nat inside source static tcp 10.1.2.8 23 188.8.131.52 233 extendable
ip nat inside source list NAT interface GigabitEthernet2 overload
this is it.
now when I access R7 from the internet with the 184.108.40.206 address it works ok and if access R8 from the internet with the 220.127.116.11 address it works fine as well.
but when I want to access R8 from R7 with 18.104.22.168 address it doesn't work and vice versa.
so I want to fix this issue i and I have looked into different solutions but none has worked so far like NVI with it is not supported on IOS-XE or Hairpin Nat witch also doesn't work.
I need your help.
Solved! Go to Solution.
Can you confirm the version software you are running, it could be that hairpining isn't supported for that it, Also from the "internet rtr towards the nat rtr" do you have reachability to both of those inside global addresses (22.214.171.124-126.96.36.199) by way of a static routing?
As for those specific loopbacks, They are not require for hair pinning to work, So they can be safely removed, And as your static pat translations are for telnet that pertain to outside/internal hosts please make sure you are initiating a connection via port 233.
Lastly your only are specifying two static pat statements for 10.1.2.7 & 10.1.2.8 i see no entry for 10.1.2.9!
Please try the following and test again:
no interface Loopback1
no interface Loopback2
no ip access-list extended NAT_ACL
ip access-list extended NAT_ACL
deny ip 10.1.2.0 0.0.0.255 10.1.2.0 0.0.0.255
permit ip 10.1.2.0 0.0.0.255 any
no ip access-list extended NAT_HAIRPIN_ACL
ip access-list extended NAT_HAIRPIN_ACL
permit ip 10.1.2.0 0.0.0.255 host 10.1.2.7
permit ip 10.1.2.0 0.0.0.255 host 10.1.2.8
no ip redirects
no ip route 0.0.0.0 0.0.0.0 188.8.131.52
ip route 0.0.0.0 0.0.0.0 GigabitEthernet2 184.108.40.206
My ios version is IOS-XE 16.3.8 and IOS-XE 16.9.5 on ISR4331 also I have reachability to 220.127.116.11 and 18.104.22.168 and 10.1.2.9 is there only to test connections.
if i remove my loopback can i still nat those traffics?
It does seem hairpining and NVI nat isn't support IOS-XE - the alternate would to to use VASI which is an alternative to NVI nat. - here
It seems the alternative to domainless nat that runs on IOS, it should be able to provide a solution for hairpinng on the ISR
I have fixed the issue this what I did:
if you configure the PBR to send traffic to a loopback interface it won't work and this error pops up:
%Warning:Use P2P interface for routemap setinterface clause
so I have done this:
I have created a tunnel interface that both the source and the destinations is the loopback interface on the router:
ip address 22.214.171.124 255.255.255.255
ip nat inside
tunnel source Loopback0
tunnel destination 169.254.1.1
and used this instead of a loopback interface both on PBR and on NAT
this is it.
+5 for the intgenuity - elegant workaround.