02-12-2013 07:25 AM - edited 03-04-2019 07:00 PM
Hi
I have Cisco 880 (Version 15.0(1)M6) router and have problems with accessing internal server using external IP (as far as I found it is called “NAT loopback or reverse NAT”). It works well on cheap Linksys RV082 but can’t get it works on mine device. I have only one external IP address.
I read somewhere that it is not possible.
Could you confirm this or there is a way to get it run?
Solved! Go to Solution.
02-12-2013 09:03 AM
What u want sir, is unfortunately not possible it is not supported by Cisco IOS, (the NAT Loopback function, also called (NAT reflection/NAT hairpining / NAT on a stick) The only solution i have for you is either use a local DNS server that supports your need or modify the hostfile of the pc.
02-13-2013 05:58 AM
It's nothing you can switch on or off like on other systems. I think that's what he ment.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
02-12-2013 07:39 AM
Piotr,
We can try getting this working using some hacks including the NAT loopback, but the point is that all communication of the internal network with your server will need to go through the router which has, frankly, a rather poor throughput. I would try avoiding this if possible. Is there any reason why you need to talk to your internal server by its external IP address?
Best regards,
Peter
02-12-2013 07:46 AM
Peter,
Thank you for your reply.
I don’t worry about poor throughput at all. My point is to simplify accessing our support server from internal network. Obviously I could use internal IP but to make it nicer would like to use DNS name, the same like for external access. And I don’t have DNS server as all name resolution requests go to ISP DNS one.
02-12-2013 09:03 AM
What u want sir, is unfortunately not possible it is not supported by Cisco IOS, (the NAT Loopback function, also called (NAT reflection/NAT hairpining / NAT on a stick) The only solution i have for you is either use a local DNS server that supports your need or modify the hostfile of the pc.
02-13-2013 03:50 AM
Thank you Remco,
I will use DNS in this case but litle bit disapointed about Cisco IOS.
02-13-2013 04:17 AM
don't need to be disapointed as there are many ways as a workaround. One is Peters suggestion with the NAT-Loopback. A much easier one could be that you enable the DNS server on the router:
ip host www.example.net 10.10.10.10 ! FQDN and real IP of your server
ip name-server 8.8.8.8 ! IP of your ISP-DNS
ip dns server
Now point the DNS of your internal clients to the router and each time they try to resolve www.example.net they get 10.10.10.10 instead of the real public IP.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
02-13-2013 04:20 AM
Thanks Karsten,
I've done this way and is working well, but my point is it would be easier to have NAT loopback.
02-13-2013 04:32 AM
NAT loopback is a PITA to configure. But if you want, you can configure it. A starting point is the following:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
02-13-2013 05:49 AM
Hmm, I'm confused. As per Remco answer I thought it is impossible?....
02-13-2013 05:58 AM
It's nothing you can switch on or off like on other systems. I think that's what he ment.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
02-13-2013 06:01 AM
Ok, does make sense. Thanks
06-25-2014 05:59 AM
Sorry for starting back this old old thread. I'm having the same issue also. I understand there might not be an easy way but I'm mostly confused as to how cheap dumb consumer routers don't have this problem and pro/semi-pro cisco routers have this problem.
01-12-2015 03:28 PM
Hi.
What you are looking to do is perform REVERSE PORT ADDRESS TRANSLATION.
People call it all sorts of crazy things like: NAT Hairpinning, NAT-on-a-stick, NAT reflecting, and NAT loopback.
Just to clear this up,.. Hairpinning is a technique used in a NAT-on-a-stick configuration that involves having the NAT "loopback" the traffic. This sounds like what you want, but is very likely NOT what you want. These configuration in their simple form have only one interface. They practically turn a router into a NAT server to a switched network.
It is difficult to get to these kind of questions using Google, so I will rephrase:
If you cannot reach an internal server using the GLOBAL IP address and port, then this post is FOR YOU!
You have to configure another type of NAT called NVI instead of traditional NAT.
To configure NAT NVI you substitute:
ip nat outside or ip nat inside for ip nat enable in interface configuration mode.
ip nat inside source static a.b.c.d xx int fa0 yy for ip nat source static a.b.c.d xx int fa0 yy in global configuration mode.
ip nat source route-map NAT_MAP interface Dialer1 overload for ip nat inside source route-map NAT_MAP interface Dialer1 overload in global configuration mode.
Now, you should be able to access your web server from the LAN using the GLOBAL IP ADDRESS.
This is GREAT, right ?! Not so if you have a dynamic IP address, because as soon the router reboots, it will start up, and the NAT entries will be classical NAT entries instead of NVI entries. This breaks "port forwarding" in general, so I wrote a script to re-enter the statements as soon as the interface is placed in up status. I'm just going to leave this here, and if anybody needs help feel free to ask.
(BTW, you can tell this is happening to you if you have ip nat source static ... statements visible in the output of show ip nat translations instead of ip nat nvi translations.)
The script is available here:
https://github.com/vittorio88/cisco-scripts/blob/master/fix_nvi.tcl
Save it, and copy to the router. Look inside the file for how configure IOS to use the script.
Good Luck!
P.S. Enabling NVI makes your router take a slight performance hit. This may be more notable on older routers or 800 series.
01-26-2015 06:54 AM
Hi,
found a solution!
You have to configure a Twice NAT, to change the Source and Destination.
Regards,
Sven
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide