11-24-2014 01:12 PM - edited 03-05-2019 12:13 AM
Hi.
I'm wondering about NAT loopback.
My problem is this:
I have 1 router Cisco 2911 that is the default gateway of the network. Then I have 1 web server and 1 PC on the internal network.
Router: 192.168.10.1
server: 192.168.10.20
PC: 192.168.10.10
the routers external IP is 10.0.0.1 /24
I have done the following: ip nat inside source static 192.168.10.20 10.0.0.10
I want my PC to be able to reach the web sites on the server through the "external address". Is that possible, to go out through the router and back in again?
Kind regards, Tommy
11-24-2014 01:27 PM
Found this thread and have kind of the same question, is it not possible in Cisco routers running IOS but possible in other brands and cheaper models?
https://supportforums.cisco.com/discussion/11734176/nat-loopback
11-25-2014 12:38 PM
Using traditional inside/outside NAT, no... but using NVI (NAT Virtual Interface) should do it for you.
interface WAN ip nat enable ! interface LAN ip nat enable ! ip nat source static 192.168.10.20 10.0.0.10
11-25-2014 03:10 PM
Hello
Please read this previous post - here
res
Paul
12-17-2014 01:17 AM
12-17-2014 01:25 AM
And just so there's no confusion.
This works:
172.16.40.12 -> 172.16.40.11:80
"externally" -> 192.168.99.250 -NAT-> 172.16.40.11:80
This does not work:
172.16.40.12 -> 192.168.99.250 -NAT-> 172.16.40.11:80
12-17-2014 02:51 AM
Hello
Where does the 172.16.40.12 come into this ?
your private addressing is 192.168.20.x/24
you external addressing is 10.0.0.0/24
Also, try and add the following:
interface GigabitEthernet0/0
no ip nat inside
ip nat enable
interface GigabitEthernet0/1
no ip nat inside
ip nat enable
access-list 10 permit 192.168.10.0 0.0.0.255
no ip nat inside source static 192.168.10.20 10.0.0.10
ip nat isource list 10 pool GlOBAL overload
ip nat source static tcp 192.168.10.20 80 10.0.0.10 80
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 x.x.x.x (nexthop ip)
res
Paul
12-17-2014 03:06 AM
12-17-2014 04:47 AM
Hello
Can you access this server via port 80 - try telneting to it
telnet x.x.x.x 80
also
sh ip nat nvi translations
res
Paul
12-17-2014 05:57 AM
http://192.168.99.250 works great if I'm doing it from a host on the network 192.168.99.0/24. It's NATed and everything works as expected. If I do the same thing from network 172.16.40.0/24 it doesn't work.
Router01#sh ip nat nvi translations
Pro Source global Source local Destin local Destin global
tcp 192.168.99.250:80 172.16.40.11:80 --- ---
tcp 192.168.99.250:49901 172.16.40.11:49901 173.194.71.100:443 173.194.71.100:443
udp 192.168.99.250:50743 172.16.40.11:50743 8.8.8.8:53 8.8.8.8:53
tcp 192.168.99.250:62194 172.16.40.12:62194 194.132.162.248:80 194.132.162.248:80
tcp 192.168.99.250:62238 172.16.40.12:62238 64.233.161.189:443 64.233.161.189:443
tcp 192.168.99.250:62747 172.16.40.12:62747 192.168.98.3:389 192.168.98.3:389
tcp 192.168.99.250:62751 172.16.40.12:62751 192.168.98.3:389 192.168.98.3:389
tcp 192.168.99.250:62752 172.16.40.12:62752 192.168.98.3:389 192.168.98.3:389
tcp 192.168.99.35:62838 192.168.99.35:62838 192.168.99.250:80 172.16.40.11:80
tcp 192.168.99.35:62839 192.168.99.35:62839 192.168.99.250:80 172.16.40.11:80
12-18-2014 12:07 AM
Hello
hum I've have just labbed this up and it works for me using domainless nat
Can you clear the nat table and try again.
clear ip nat nvi translations *
Lanrtr#clear ip nat nvi translation *
Lanrtr#sh ip nat nvi translations
Pro Source global Source local Destin local Destin global
tcp 192.168.99.250:80 172.16.40.11:80 --- ---
Host#172.16.40.11 80
Trying 172.16.40.11, 80 ... Open
Host#192.168.99.250 80
Trying 192.168.99.250, 80 ... Open
Lanrtr#sh ip nat nvi translations
Pro Source global Source local Destin local Destin global
tcp 192.168.99.250:55257 172.16.40.3:55257 192.168.99.250:80 172.16.40.11:80
tcp 192.168.99.250:80 172.16.40.11:80 --- ---
*Dec 18 17:29:30.274: NAT: s=172.16.40.3->192.168.99.250, d=192.168.99.250 [63979]
*Dec 18 17:29:30.274: NAT: s=192.168.99.250, d=192.168.99.250->172.16.40.11 [63979]
*Dec 18 17:29:30.278: NAT: s=172.16.40.11->192.168.99.250, d=192.168.99.250 [35113]
*Dec 18 17:29:30.278: NAT: s=192.168.99.250, d=192.168.99.250->172.1
res
Paul
12-18-2014 12:07 AM
Hi,
I'm not sure I understand. This is my NAT rule for right now
ip nat source static tcp 172.16.40.11 80 192.168.99.250 80 extendable
I don't see how I can configure it like you wanted above, shouldn't I start with the "Source local IP address" which should be the PC with IP 172.16.40.11
Kind Regards, Tommy
EDIT: It didn't work to access the site even "externally" when I changed the:
ip nat source static tcp 172.16.40.11 80 192.168.99.250 80 extendable
To:
ip nat source static tcp 192.168.99.250 80 172.16.40.11 80
I really appreciate the help btw!
12-19-2014 01:02 AM
Oh sorry I didn't see the comment.
Here is my output:
Router01#clear ip nat nvi translation *
Router01#sh ip nat nvi translations
Pro Source global Source local Destin local Destin global
tcp 192.168.99.250:80 172.16.40.11:80 --- ---
icmp 192.168.99.250:1 172.16.40.13:1 8.8.8.8:1 8.8.8.8:1
udp 192.168.99.250:137 172.16.40.13:137 172.16.40.255:137 172.16.40.255:137
udp 192.168.99.250:55373 172.16.40.13:55373 8.8.8.8:53 8.8.8.8:53
tcp 192.168.99.250:57311 172.16.40.13:57311 192.168.99.17:12321 192.168.99.17:12321
tcp 192.168.99.250:57314 172.16.40.13:57314 192.168.99.17:12331 192.168.99.17:12331
tcp 192.168.99.250:57329 172.16.40.13:57329 192.168.101.28:10001 192.168.101.28:10001
tcp 192.168.99.250:57342 172.16.40.13:57342 192.168.99.17:12331 192.168.99.17:12331
tcp 192.168.99.250:57343 172.16.40.13:57343 173.194.71.113:443 173.194.71.113:443
Still doesn't work going from 172.16.40.12 to 192.168.99.250 on port 80.
When I go direct from 172.16.40.12 to 172.16.40.11 on port 80 it works.
I attached my config aswell if you can spot any difference to your own.
Kind regards, Tommy.
12-19-2014 03:40 AM
Hello
1) is this a live environment - not GNS lab correct,
2) What these 192.168.99.17, 192.168.101.28
3) this 192.168.99.254 is your WAN nexthop correct not a recursive nexthop
The test I did for your issue was on real hardware and attached is another lab I did from for previous post on gns
res
Paul
12-19-2014 07:20 AM
Hi and many thanks for all the help so far!
1) Yes it's live with a Cisco 2911 router, a layer 2 switch and a couple of windows 7 PCs.
2) Those are other PCs on the network. The 192.168.99.0/24 is my "external" network in my lab but also my usual LAN network for my PC.
3) Yes 192.168.99.254 is my usual default gateway so the traffic out from my lab enviroment is being duouble NATed.
I mean your setups looks kinda like mine so I don't really get why it won't work. How I'm testing this is with a browser on a PC on the 192.168.99.0/24 network and a PC on 172.16.40.12. Both trying to reach the NATed address of 192.168.99.250. On the external PC it works fine and on the internal one it doesn't. I'll give my config another look I guess, or did you see anything that might be of interest?
Super big thanks again from Sweden!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide