NAT-loopback on Cisco 1921

Jaroslaw Gal · ‎02-25-2024

I'm having a problem with the NAT-LOOPBACK setup on a Cisco 1921. The scenario involves a video door entry system that needs to be accessible via the public IP address of the router from both the LAN and the "outside world." This seems like a classic NAT-LOOPBACK scenario, but I'm relatively new to Cisco equipment and might be missing something in my configuration.

The camera is on the local LAN at 192.168.1.145/24 and uses the following TCP ports: 1981, 2000, 8045, 5541.

I'm using Dialer1 as my WAN interface and VLAN10 (192.168.1.1/24) as the interface that serves the local LAN.

I can access the camera from the "outside world," but when connected to the local LAN, the app on my mobile devices (iPhone and Android) cannot establish communication over the public IP address of the router.

I have a NAT-LOOPBACK access list that matches internal traffic to be translated back to 192.168.1.145 on specific ports. I also have dynamic NAT to translate all other internet-bound traffic and static NAT entries matching the camera's local IP to the router's public IP on specific ports.

The issue is that the NAT-LOOPBACK access list doesn't seem to be matching, even though the traffic is initiated from the internal LAN to the camera using the public IP address of the router.

Here is the configuration:

hostname HOME_CISCO1921
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret <HIDDEN>
!
aaa new-model
!
!
aaa authentication banner ^CC
************************************************
* ACCESS TO THIS SYSTEM IS FOR *
* AUTHORIZED USERS ONLY! *
* ALL ACCESS ATMEPTS TO THIS DEVICE *
* ARE MONITORED AND RECORDED. *
* MONITORING AND RECORDING MAY BE *
* TURNED OVER TO THE APPROPRIATE AUTHORITIES. *
************************************************
^C
aaa authentication fail-message ^CCLogin Incorrect^C
aaa authentication password-prompt Password:
aaa authentication username-prompt Username:
aaa authentication login AUTH local enable group radius
!
!
!
!
!
aaa session-id common
clock timezone UTC 2 0
!
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool DPOOL10
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 3
!
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FGL172625FU
!
!
archive
log config
hidekeys
vtp mode transparent
username <HIDDEN> privilege 15 password <HIDDEN>
username <HIDDEN> privilege 15 password <HIDDEN>
!
redundancy
!
!
!
!
!
vlan 10
name HOME_VLAN
!
ip ssh version 2
lldp run
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.240.0.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description * Link to ISP *
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description * Link to SWITCH1 *
switchport trunk allowed vlan 1,10,1002-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet0/0/1
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/0/2
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/0/3
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan10
description * Local LAN *
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
!
interface Dialer1
ip address negotiated
ip mtu 1480
ip nat outside
ip nat enable
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp chap hostname <HIDDEN>
ppp chap password <HIDDEN>
no cdp enable
!
ip forward-protocol nd
!
no ip http server
ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.145 1981 interface Dialer1 1981
ip nat inside source static tcp 192.168.1.145 2000 interface Dialer1 2000
ip nat inside source static tcp 192.168.1.145 8045 interface Dialer1 8045
ip nat inside source static tcp 192.168.1.145 5541 interface Dialer1 5541
ip nat inside source static udp 192.168.1.145 8045 interface Dialer1 8045
ip nat inside source static udp 192.168.1.145 2000 interface Dialer1 2000
ip nat inside source list NAT-LOOPBACK interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended NAT-LOOPBACK
permit tcp 192.168.1.0 0.0.0.255 host 91.233.139.69 eq 1981
permit tcp 192.168.1.0 0.0.0.255 host 91.233.139.69 eq 2000
permit tcp 192.168.1.0 0.0.0.255 host 91.233.139.69 eq 8045
permit tcp 192.168.1.0 0.0.0.255 host 91.233.139.69 eq 5541
permit udp 192.168.1.0 0.0.0.255 host 91.233.139.69 eq 8045
permit udp 192.168.1.0 0.0.0.255 host 91.233.139.69 eq 2000
!
ip access-list log-update threshold 1
kron occurrence reload-at-0203 at 2:30 recurring
!
kron policy-list reload
cli reload
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
mac-address-table aging-time 20
!
!
snmp-server community test24 RW
snmp-server enable traps entity-sensor threshold
!
!
!
control-plane
!
!
privilege exec level 15 connect
privilege exec level 15 configure
banner login ^CC
------------------------

PRIVATE NETWORK
---------------

************************************************
* Unauthorised access or use of this equipment *
* is prohibited and constitutes an offence *
* under the Computer Misuse Act 1990. *
* If you are not authorised to use this *
* system, terminate this session now. *
************************************************
^C
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 60 0
privilege level 15
password <HIDDEN>
logging synchronous
login authentication AUTH
transport input ssh
line vty 5 15
exec-timeout 60 0
transport input all
!
scheduler allocate 20000 1000
ntp server pool.ntp.org
!

liviu.gheorghe · ‎02-25-2024

Hello @Jaroslaw Gal ,

the NAT-LOOPBACK access-list is used to translate the source IP's of hosts on 192.168.1.0/24 when accessing host 91.233.139.69 on ports 1981, 2000, 8045, 5541 for tcp or udp traffic. If no hosts on your LAN are accessing host 91.233.139.69 on those specific ports, you won't have matches in the ACL.

When connected to the local LAN, you will have to access the camera on it's LAN IP address - 192.168.1.145.

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

Jaroslaw Gal · ‎02-25-2024

The mobile app allows only for 1 IP to be configured for the camera. My understanding is that to be able to connect to this camera from the internet, I keep public IP address of the router in app configuration and if connected to local LAN I use NAT-LOOPBACK to translate public IP on these specific ports back to local IP address of the camera.
The traffic is being generated from mobile device and is destined to public IP of the router but there must be smthg I'm missing cuz I cant see any matches on NAT-LOOPBACK access list.

liviu.gheorghe · ‎02-25-2024

I heard of NAT Loopback or NAT hairpining and this feature is available in some SOHO routers, but unfortunatelly you cannot configure it in a Cisco IOS device.

One workaround to the problem is to use a local DNS server or local host mapping on the device. When the device gets an IP that is local, from the DHCP server, it gets also a DNS. This DNS will map the name of the camera, that you use on the outside world, to the internal IP of the camera. When your device is connected to the Internet, it will get a DNS server from the Internet provider which will map the name of the camera to your outside IP.

Regards, LG
*** Please Rate All Helpful Responses ***

MHM Cisco World · ‎02-25-2024

ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.145 1981 interface Dialer1 1981
ip nat inside source static tcp 192.168.1.145 2000 interface Dialer1 2000
ip nat inside source static tcp 192.168.1.145 8045 interface Dialer1 8045
ip nat inside source static tcp 192.168.1.145 5541 interface Dialer1 5541
ip nat inside source static udp 192.168.1.145 8045 interface Dialer1 8045
ip nat inside source static udp 192.168.1.145 2000 interface Dialer1 2000
~~ip nat inside source list NAT-LOOPBACK interface Dialer1 overload <<- NOT NEED Since there is static NAT for these IP/L4 Ports~~
ip route 0.0.0.0 0.0.0.0 Dialer1
!
~~ip access-list extended NAT-LOOPBACK~~
~~permit tcp 192.168.1.0 0.0.0.255 host 91.233.139.69 eq 1981~~
~~permit tcp 192.168.1.0 0.0.0.255 host 91.233.139.69 eq 2000~~
~~permit tcp 192.168.1.0 0.0.0.255 host 91.233.139.69 eq 8045~~
~~permit tcp 192.168.1.0 0.0.0.255 host 91.233.139.69 eq 5541~~
~~permit udp 192.168.1.0 0.0.0.255 host 91.233.139.69 eq 8045~~
~~permit udp 192.168.1.0 0.0.0.255 host 91.233.139.69 eq 2000~~

MHM

MHM Cisco World · ‎02-25-2024

First' I see loopback but I dont see any config of NAT under loopback?

Second if the DNS server is Outside then then I think the failed of connect of client in Local can not access public IP of camera' then this maybe becuase the NAT also NATing IP inside the DNS reply.

This in FW called dns doctor feature in ios try use

No- Payload with static NAT this prevents NAT from NATing the IP inside DNS reply and hence the local client can access camera using it public IP.

MHM

paul driver · ‎02-25-2024

Hello

@Jaroslaw Gal wrote:

The scenario involves a video door entry system that needs to be accessible via the public IP address of the router from both the LAN and the "outside world." This seems

What you require is to hairpin the network translation, and there is two ways that im aware that this can be accomplished.
Using either domain-nat (inside/outside) or domainless nat ( see attached file).

The most simplistic way (Example1 - Domain-less nat)
The more convoluted way (Example2 - Domain-nat

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Jaroslaw Gal · ‎02-27-2024

@paul driver Thank you for your reply. I will have few questions here:

1. the whole network uses 192.168.1.0/24 address space and some of the devices are statically configured with theirs IPs - these devices communicates with Ampio home automation controllers, and I don't want to change the address space, cuz I have no access to the Ampio devices. Having that in mind, should I change the IP address of the Loopback Interface? And if so, what address should I use? Should I swap the IPs between Lo and VLAN10 interfaces to keep the same addressing on local LAN?

2. I don't understand these bits of config:

A):
ip access-list extended public-nat
deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip host 192.168.1.145 any

I'm denying traffic that is destined to the local LAN and permitting traffic that is destined to the camera? How about the traffic that needs to flow between devices on that LAN?

B)
I can see that this ACL (public-nat) is used as NAT source list on Dialer1 as well as the hairpin-nat, but I can't see any ACL that would match traffic from LAN and heading towards the outside world. How this type of traffic will be handled with this configuration?

C)
In regards to these parts:

route-map PBR
set interface loopback 0

and

int loopback 0
ip nat inside

and

int vlan 10
lan facing
no ip nat inside
no ip nat enable
ip nat outside
no ip redirects
ip policy-route PBR

My understanding is, that whole traffic that hits VLAN10 interface will be forwarded to Loopback 0 interface. But I'm not sure what is the order of operations on this router... what takes precedens here? route map or NAT rule?
How the traffic to the outside world is going to be handled?

What would be the best IP subnet for Loopback interface- does it actually matter?

Why VLAN 10 interface has "ip nat outside"?

yep... i think that's enough questions for one post. I will extremely appreciate the answer to them!

PS. I removed the Lo interface so it will not confuse anyone...

Thank you in advance,

Yarik