cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11095
Views
0
Helpful
31
Replies

NAT loopback

Tommy Svensson
Level 1
Level 1

Hi.

 

I'm wondering about NAT loopback.

 

My problem is this:

 

I have 1 router Cisco 2911 that is the default gateway of the network. Then I have 1 web server and 1 PC on the internal network.

 

Router: 192.168.10.1

server: 192.168.10.20

PC: 192.168.10.10

 

the routers external IP is 10.0.0.1 /24

I have done the following: ip nat inside source static 192.168.10.20 10.0.0.10

 

I want my PC to be able to reach the web sites on the server through the "external address". Is that possible, to go out through the router and back in again?

 

Kind regards, Tommy

31 Replies 31

Hello

Just noticed your updated config further below;

Can you try using a standard acl in your nat statement instead?

res

Paul

 

 



 





 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thanks for the quick reply.

 

I did but it's the same result:

172.16.40.12 -> 192.168.99.250 on port 80 doesn't work.

 

Here is the current config.

Tommy Svensson
Level 1
Level 1

Is there anyone that might have a suggestion on how to fix this? 

 

Kind regards, Tommy

Hello

Did you read my edited post?

I labbed this up and it worked  So can you confirm your config again as I don't see why it should not work for you.

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I can back Paul on this. I just loaded this up on my router and had no trouble:

interface GigabitEthernet0/0
 description LAN
 ip nat enable
!
interface GigabitEthernet0/1
 description WAN
 ip nat enable
!
object-group network OG_RFC1918 
 10.0.0.0 255.0.0.0
 172.16.0.0 255.240.0.0
 192.168.0.0 255.255.0.0
!
ip access-list extended ACL_NAT_NVI
 permit ip object-group OG_RFC1918 any
!
route-map RM_NAT_NVI permit 10
 match ip address ACL_NAT_NVI
 match interface GigabitEthernet0/1
!
ip nat source route-map RM_NAT_NVI interface GigabitEthernet0/1 overload
ip nat source static tcp 172.23.0.2 80 interface GigabitEthernet0/1 80

Opening a web browser to my public IPv4 address on GigabitEthernet0/1 from a client on the LAN interface brings up the web page without any difficulty.

Are you able to open a telnet session from the router to 80/tcp on your web server using the WAN interface as the source? If there's a routing problem on the host preventing traffic from getting back, that will trip things up.

---
Jody Lemoine, Network Architect
CCIE 41436, MTCRE, MTCINE, MTCIPv6E
tishco networks, Virtually Everywhere
(905) 378-1134, jody.lemoine@tishco.ca

Hi.

 

No it dosen't work unfortunatly. The config is the same as the last message with Paul if you wanna take a look. On the PC it's nothing special done and it works externally to access the PC on port 80.

Router01#telnet 192.168.99.250 80 /source-interface gigabitEthernet 0/1
Trying 192.168.99.250, 80 ...
% Connection timed out; remote host not responding

 

It also works to telnet from 192.168.99.254 that is my "external" default gateway.

SWITCH_L3_1#telnet 192.168.99.250 80
Trying 192.168.99.250, 80 ... Open

 

 

The fact that you can't connect from the router using the outside interface makes me think that this goes beyond a NAT problem. If your web server is using your router as the default gateway, you should be able to connect to it using the WAN interface of the router as a source... regardless of the NAT configuration.

A few questions to ask here. Is the web server using the router as its default gateway? Does the web server have any other interfaces on it? Is there any kind of host-based firewall active that is restricting connections from specific sources?

---
Jody Lemoine, Network Architect
CCIE 41436, MTCRE, MTCINE, MTCIPv6E
tishco networks, Virtually Everywhere
(905) 378-1134, jody.lemoine@tishco.ca

Hold on... missed something there. Scratch that. Can you try connecting to the web server's actual IP address using GigabitEthernet0/1 as the source? Not worried about the NAT address at this point.

---
Jody Lemoine, Network Architect
CCIE 41436, MTCRE, MTCINE, MTCIPv6E
tishco networks, Virtually Everywhere
(905) 378-1134, jody.lemoine@tishco.ca

Hi.

 

That worked fine.

Router01#telnet 172.16.40.11 80 /source-interface gigabitEthernet 0/1
Trying 172.16.40.11, 80 ... Open

 

I also added the route print from the webserver. It does only have one interface and one default gateway.

 

Kind regards, Tommy

I put in your config but still it won't work.

Could you take a look so I did it correctly?

 

Kind regards, Tommy

Hello

Makes me think possible IOS ..

what version are you using?

res

Paul

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)

 

Could it be this version?

 

Kind regards, Tommy

 

Hi.

 

Did anyone figure out anything about this? Is it a problem with my IOS version?

 

Kind regards, Tommy

It's possible. 15.2.4M2 has been superseded by a number of patch releases since then. Last I looked it was up to 15.2.4M6a. Personally, I've been standardizing on 15.3.3M4 for all of my ISR G2s.

---
Jody Lemoine, Network Architect
CCIE 41436, MTCRE, MTCINE, MTCIPv6E
tishco networks, Virtually Everywhere
(905) 378-1134, jody.lemoine@tishco.ca

Hi.

 

I got hold of Version 15.4(2)T1 as I posted above but it still won't work accessing the sites NATed IP from the LAN. Here's my config aswell.

 

Kind regards,