cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
33376
Views
15
Helpful
13
Replies

NAT loopback

Piotr Kowalczyk
Level 1
Level 1

Hi

I have Cisco 880 (Version 15.0(1)M6) router and have problems with accessing internal server using external IP (as far as I found it is called “NAT loopback or reverse NAT”). It works well on cheap Linksys RV082 but can’t get it works on mine device. I have only one external IP address.

I read somewhere that it is not possible.

Could you confirm this or there is a way to get it run?

2 Accepted Solutions

Accepted Solutions

SlevinKelevra
Level 1
Level 1

What u want sir, is unfortunately not possible it is not supported by Cisco IOS, (the NAT Loopback function, also called (NAT reflection/NAT hairpining / NAT on a stick) The only solution i have for you is either use a local DNS server that supports your need or modify the hostfile of the pc.

View solution in original post

It's nothing you can switch on or off like on other systems. I think that's what he ment.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

13 Replies 13

Peter Paluch
Cisco Employee
Cisco Employee

Piotr,

We can try getting this working using some hacks including the NAT loopback, but the point is that all communication of the internal network with your server will need to go through the router which has, frankly, a rather poor throughput. I would try avoiding this if possible. Is there any reason why you need to talk to your internal server by its external IP address?

Best regards,

Peter

Peter,

Thank you for your reply.

I don’t worry about poor throughput at all. My point is to simplify accessing our support server from internal network. Obviously I could use internal IP but to make it nicer would like to use DNS name, the same like for external access. And I don’t have DNS server as all name resolution requests go to ISP DNS one.

SlevinKelevra
Level 1
Level 1

What u want sir, is unfortunately not possible it is not supported by Cisco IOS, (the NAT Loopback function, also called (NAT reflection/NAT hairpining / NAT on a stick) The only solution i have for you is either use a local DNS server that supports your need or modify the hostfile of the pc.

Thank you Remco,

I will use DNS in this case but litle bit disapointed about Cisco IOS.

don't need to be disapointed as there are many ways as a workaround. One is Peters suggestion with the NAT-Loopback. A much easier one could be that you enable the DNS server on the router:

ip host www.example.net 10.10.10.10  ! FQDN and real IP of your server

ip name-server 8.8.8.8               ! IP of your ISP-DNS

ip dns server

Now point the DNS of your internal clients to the router and each time they try to resolve www.example.net they get 10.10.10.10 instead of the real public IP.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thanks Karsten,

I've done this way and is working well, but my point is it would be easier to have NAT loopback.

NAT loopback is a PITA to configure. But if you want, you can configure it. A starting point is the following:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hmm, I'm confused. As per Remco answer I thought it is impossible?....

It's nothing you can switch on or off like on other systems. I think that's what he ment.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Ok, does make sense. Thanks

Sorry for starting back this old old thread.  I'm having the same issue also.  I understand there might not be an easy way but I'm mostly confused as to how cheap dumb consumer routers don't have this problem and pro/semi-pro cisco routers have this problem.

Hi.

 

What you are looking to do is perform REVERSE PORT ADDRESS TRANSLATION.

People call it all sorts of crazy things like: NAT Hairpinning, NAT-on-a-stick, NAT reflecting, and NAT loopback.

Just to clear this up,.. Hairpinning is a technique used in a NAT-on-a-stick configuration that involves having the NAT "loopback" the traffic. This sounds like what you want, but is very likely NOT what you want. These configuration in their simple form have only one interface. They practically turn a router into a NAT server to a switched network.

 

It is difficult to get to these kind of questions using Google, so I will rephrase:

If you cannot reach an internal server using the GLOBAL IP address and port, then this post is FOR YOU!
 

You have to configure another type of NAT called NVI instead of traditional NAT.

 

To configure NAT NVI you substitute:

ip nat outside or ip nat inside for ip nat enable in interface configuration mode.

ip nat inside source static a.b.c.d xx int fa0 yy for ip nat source static a.b.c.d xx int fa0 yy in global configuration mode.

ip nat source route-map NAT_MAP interface Dialer1 overload for ip nat inside source route-map NAT_MAP interface Dialer1 overload in global configuration mode.

 

 

Now, you should be able to access your web server from the LAN using the GLOBAL IP ADDRESS.

 

This is GREAT, right ?! Not so if you have a dynamic IP address, because as soon the router reboots, it will start up, and the NAT entries will be classical NAT entries instead of NVI entries. This breaks "port forwarding" in general, so I wrote a script to re-enter the statements as soon as the interface is placed in up status. I'm just going to leave this here, and if anybody needs help feel free to ask.

(BTW, you can tell this is happening to you if you have ip nat source static ... statements visible in the output of show ip nat translations instead of ip nat nvi translations.)

 

The script is available here:

https://github.com/vittorio88/cisco-scripts/blob/master/fix_nvi.tcl

Save it, and copy to the router. Look inside the file for how configure IOS to use the script.

 

Good Luck!

 

P.S. Enabling NVI makes your router take a slight performance hit. This may be more notable on older routers or 800 series.

Sven Kutzer
Level 1
Level 1

Hi,

 

found a solution!

You have to configure a Twice NAT, to change the Source and Destination.

 

Regards,

Sven

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: