cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1950
Views
0
Helpful
31
Replies
Highlighted
Beginner

NAT loopback

Hi.

 

I'm wondering about NAT loopback.

 

My problem is this:

 

I have 1 router Cisco 2911 that is the default gateway of the network. Then I have 1 web server and 1 PC on the internal network.

 

Router: 192.168.10.1

server: 192.168.10.20

PC: 192.168.10.10

 

the routers external IP is 10.0.0.1 /24

I have done the following: ip nat inside source static 192.168.10.20 10.0.0.10

 

I want my PC to be able to reach the web sites on the server through the "external address". Is that possible, to go out through the router and back in again?

 

Kind regards, Tommy

31 REPLIES 31
Highlighted
Beginner

Found this thread and have kind of the same question, is it not possible in Cisco routers running IOS but possible in other brands and cheaper models?

 

https://supportforums.cisco.com/discussion/11734176/nat-loopback

 

Highlighted
Rising star

Using traditional inside/outside NAT, no... but using NVI (NAT Virtual Interface) should do it for you.

interface WAN
ip nat enable
!
interface LAN
ip nat enable
!
ip nat source static 192.168.10.20 10.0.0.10

 

Highlighted
VIP Mentor

Hello

 

Please read this previous post -  here

 

res

Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

Hi.

 

Here is my config now and I can't seem to get it working. Any ideas why?

 

Kind regards, Tommy

Highlighted

And just so there's no confusion.

 

This works:

172.16.40.12 -> 172.16.40.11:80

"externally" -> 192.168.99.250 -NAT-> 172.16.40.11:80

 

This does not work:

172.16.40.12 -> 192.168.99.250 -NAT-> 172.16.40.11:80

Highlighted

Hello

Where  does the 172.16.40.12 come into this ?

your private addressing is 192.168.20.x/24
you external addressing is 10.0.0.0/24

 

Also, try and add the following:

interface GigabitEthernet0/0
no ip nat inside
ip nat enable

interface GigabitEthernet0/1

no ip nat inside
ip nat enable
 

access-list 10 permit 192.168.10.0 0.0.0.255

no ip nat inside source static 192.168.10.20 10.0.0.10
ip nat isource list 10 pool GlOBAL overload
ip nat source static tcp 192.168.10.20 80 10.0.0.10 80

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 x.x.x.x (nexthop ip)




res

Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

Oh sorry I have changed the config to what I believed would be the solution as of looking at your previous answer.

 

Here it is again.

Please advise on what could be wrong with it.

Highlighted

Hello

Can you access this server via port 80 - try telneting to it
telnet x.x.x.x 80

also

 

sh ip nat nvi translations



res

Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

http://192.168.99.250 works great if I'm doing it from a host on the network 192.168.99.0/24. It's NATed and everything works as expected. If I do the same thing from network 172.16.40.0/24 it doesn't work.

 

Router01#sh ip nat nvi translations
Pro Source global      Source local       Destin  local      Destin  global
tcp 192.168.99.250:80  172.16.40.11:80    ---                ---
tcp 192.168.99.250:49901 172.16.40.11:49901 173.194.71.100:443 173.194.71.100:443
udp 192.168.99.250:50743 172.16.40.11:50743 8.8.8.8:53       8.8.8.8:53
tcp 192.168.99.250:62194 172.16.40.12:62194 194.132.162.248:80 194.132.162.248:80
tcp 192.168.99.250:62238 172.16.40.12:62238 64.233.161.189:443 64.233.161.189:443
tcp 192.168.99.250:62747 172.16.40.12:62747 192.168.98.3:389 192.168.98.3:389
tcp 192.168.99.250:62751 172.16.40.12:62751 192.168.98.3:389 192.168.98.3:389
tcp 192.168.99.250:62752 172.16.40.12:62752 192.168.98.3:389 192.168.98.3:389
tcp 192.168.99.35:62838 192.168.99.35:62838 192.168.99.250:80 172.16.40.11:80
tcp 192.168.99.35:62839 192.168.99.35:62839 192.168.99.250:80 172.16.40.11:80

 

Highlighted

Hello

hum I've have just labbed this up and it  works for me using domainless nat

Can you clear the nat table and try again.

 

clear ip nat nvi  translations *

 

 

Lanrtr#clear ip nat nvi translation *
Lanrtr#sh ip nat nvi translations
Pro Source global      Source local       Destin  local      Destin  global
tcp 192.168.99.250:80  172.16.40.11:80    ---                ---

Host#172.16.40.11 80
Trying 172.16.40.11, 80 ... Open

Host#192.168.99.250 80
Trying 192.168.99.250, 80 ... Open
 

Lanrtr#sh ip nat nvi translations
Pro Source global      Source local       Destin  local      Destin  global
tcp 192.168.99.250:55257 172.16.40.3:55257 192.168.99.250:80 172.16.40.11:80
tcp 192.168.99.250:80  172.16.40.11:80    ---                ---
 

*Dec 18 17:29:30.274: NAT: s=172.16.40.3->192.168.99.250, d=192.168.99.250 [63979]
*Dec 18 17:29:30.274: NAT: s=192.168.99.250, d=192.168.99.250->172.16.40.11 [63979]
*Dec 18 17:29:30.278: NAT: s=172.16.40.11->192.168.99.250, d=192.168.99.250 [35113]
*Dec 18 17:29:30.278: NAT: s=192.168.99.250, d=192.168.99.250->172.1
 

 

res

Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

Hi,

 

I'm not sure I understand. This is my NAT rule for right now

ip nat source static tcp 172.16.40.11 80 192.168.99.250 80 extendable

 

I don't see how I can configure it like you wanted above, shouldn't I start with the "Source local IP address" which should be the PC with IP 172.16.40.11

 

Kind Regards, Tommy

 

 

EDIT: It didn't work to access the site even "externally" when I changed the:

ip nat source static tcp 172.16.40.11 80 192.168.99.250 80 extendable

To:

ip nat source static tcp 192.168.99.250 80 172.16.40.11 80 

 

I really appreciate the help btw!

Highlighted

Oh sorry I didn't see the comment.

 

Here is my output:

 

Router01#clear ip nat nvi  translation *
Router01#sh ip nat nvi translations
Pro Source global      Source local       Destin  local      Destin  global
tcp 192.168.99.250:80  172.16.40.11:80    ---                ---
icmp 192.168.99.250:1  172.16.40.13:1     8.8.8.8:1          8.8.8.8:1
udp 192.168.99.250:137 172.16.40.13:137   172.16.40.255:137  172.16.40.255:137
udp 192.168.99.250:55373 172.16.40.13:55373 8.8.8.8:53       8.8.8.8:53
tcp 192.168.99.250:57311 172.16.40.13:57311 192.168.99.17:12321 192.168.99.17:12321
tcp 192.168.99.250:57314 172.16.40.13:57314 192.168.99.17:12331 192.168.99.17:12331
tcp 192.168.99.250:57329 172.16.40.13:57329 192.168.101.28:10001 192.168.101.28:10001
tcp 192.168.99.250:57342 172.16.40.13:57342 192.168.99.17:12331 192.168.99.17:12331
tcp 192.168.99.250:57343 172.16.40.13:57343 173.194.71.113:443 173.194.71.113:443

 

 

Still doesn't work going from 172.16.40.12 to 192.168.99.250 on port 80.

When I go direct from 172.16.40.12 to 172.16.40.11 on port 80 it works.

 

I attached my config aswell if you can spot any difference to your own.

 

Kind regards, Tommy.

Highlighted

Hello

 

1) is this a live environment - not GNS lab correct,

2) What these 192.168.99.17, 192.168.101.28
3) this 192.168.99.254 is your WAN nexthop correct not a recursive nexthop

 

The test I did for your issue was on real hardware and attached is another lab I did from for previous post on gns

res

Paul
 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

Hi and many thanks for all the help so far!

 

1) Yes it's live with a Cisco 2911 router, a layer 2 switch and a couple of windows 7 PCs.

2) Those are other PCs on the network. The 192.168.99.0/24 is my "external" network in my lab but also my usual LAN network for my PC.

3) Yes 192.168.99.254 is my usual default gateway so the traffic out from my lab enviroment is being duouble NATed.

 

I mean your setups looks kinda like mine so I don't really get why it won't work. How I'm testing this is with a browser on a PC on the 192.168.99.0/24 network and a PC on 172.16.40.12. Both trying to reach the NATed address of 192.168.99.250. On the external PC it works fine and on the internal one it doesn't. I'll give my config another look I guess, or did you see anything that might be of interest?

 

Super big thanks again from Sweden!