Solved: Nat issue on loopback interface ISR4300 - Page 3

n.bokhar1 · ‎03-06-2021

hello, all this is my topology:

R7, R8, and R9 are virtual machines inside the network

and they have a default route to the switch and the switch has a default route to the Router.

this Is the routers config:

!
hostname Router

!

interface Loopback1
no shutdown
ip address 11.1.1.1 255.255.255.255
!
interface Loopback2
no shutdown
ip address 22.2.2.2 255.255.255.255
!
interface GigabitEthernet1
no shutdown
ip address 10.1.1.2 255.255.255.252
ip nat inside
!
interface GigabitEthernet2
no shutdown
ip address 1.1.1.2 255.255.255.252
ip nat outside
!

ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1

!

ip access-list standard NAT
permit 10.1.0.0 0.0.255.255

!

ip nat inside source static tcp 10.1.2.7 23 11.1.1.1 233 extendable
ip nat inside source static tcp 10.1.2.8 23 22.2.2.2 233 extendable
ip nat inside source list NAT interface GigabitEthernet2 overload

!

this is it.

now when I access R7 from the internet with the 11.1.1.1 address it works ok and if access R8 from the internet with the 22.2.2.2 address it works fine as well.

but when I want to access R8 from R7 with 22.2.2.2 address it doesn't work and vice versa.

so I want to fix this issue i and I have looked into different solutions but none has worked so far like NVI with it is not supported on IOS-XE or Hairpin Nat witch also doesn't work.

I need your help.

n.bokhar1 · ‎03-06-2021

yes it is configured to find its way back I don't have a reachability issue from one host to the INTERNET

MHM Cisco World · ‎03-06-2021

...

paul driver · ‎03-06-2021

Hello n.bokhar1
Can you confirm the version software you are running, it could be that hairpining isn't supported for that it, Also from the "internet rtr towards the nat rtr" do you have reachability to both of those inside global addresses (11.1.1.1-22.22.22.2) by way of a static routing?

As for those specific loopbacks, They are not require for hair pinning to work, So they can be safely removed, And as your static pat translations are for telnet that pertain to outside/internal hosts please make sure you are initiating a connection via port 233.

Lastly your only are specifying two static pat statements for 10.1.2.7 & 10.1.2.8 i see no entry for 10.1.2.9!

Please try the following and test again:
no interface Loopback1
no interface Loopback2

no ip access-list extended NAT_ACL
ip access-list extended NAT_ACL
deny ip 10.1.2.0 0.0.0.255 10.1.2.0 0.0.0.255
permit ip 10.1.2.0 0.0.0.255 any

no ip access-list extended NAT_HAIRPIN_ACL
ip access-list extended NAT_HAIRPIN_ACL
permit ip 10.1.2.0 0.0.0.255 host 10.1.2.7
permit ip 10.1.2.0 0.0.0.255 host 10.1.2.8

interface GigabitEthernet1
no ip redirects

no ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet2 1.1.1.1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

n.bokhar1 · ‎03-07-2021

Hello,

My ios version is IOS-XE 16.3.8 and IOS-XE 16.9.5 on ISR4331 also I have reachability to 22.2.2.2 and 11.1.1.1 and 10.1.2.9 is there only to test connections.

if i remove my loopback can i still nat those traffics?

paul driver · ‎03-07-2021

Hello
It does seem hairpining and NVI nat isn't support IOS-XE - the alternate would to to use VASI which is an alternative to NVI nat. - here

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

n.bokhar1 · ‎03-09-2021

i didn't quite understand what was VASI?

paul driver · ‎03-09-2021

Hello

It seems the alternative to domainless nat that runs on IOS, it should be able to provide a solution for hairpinng on the ISR

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

n.bokhar1 · ‎03-09-2021

Hi Guys,

I have fixed the issue this what I did:

if you configure the PBR to send traffic to a loopback interface it won't work and this error pops up:

%Warning:Use P2P interface for routemap setinterface clause

so I have done this:

I have created a tunnel interface that both the source and the destinations is the loopback interface on the router:

interface Tunnel1
ip address 169.253.1.1 255.255.255.255
ip nat inside
cdp enable
tunnel source Loopback0
tunnel destination 169.254.1.1

and used this instead of a loopback interface both on PBR and on NAT

this is it.

I have to thank all of you who helped me to achieve this solution @MHM Cisco World @paul driver and specially @Georg Pauwen thanks, man.

paul driver · ‎03-09-2021

Hello @n.bokhar1
+5 for the intgenuity - elegant workaround.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul