01-11-2018 07:37 AM - edited 03-05-2019 09:44 AM
Hello,
We have a router NATing a number of public IPs to internal Private IPs. It works fine when connecting from Outside the network. But fails when trying to connect from a different VLAN behind the same router on our internal network.
E.G.
This is from Internet which works fine:
tracert -d 85.13.140.202
Tracing route to 85.13.140.202 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms x.x.x.x
2 1 ms 2 ms <1 ms x.x.x.x
3 1 ms <1 ms <1 ms x.x.x.x
4 2 ms 1 ms 1 ms 62.255.158.211
5 6 ms 7 ms 4 ms 213.104.146.109
6 * * * Request timed out.
7 5 ms 5 ms 5 ms 80.0.0.86
8 47 ms 8 ms 230 ms 80.0.0.10
9 12 ms 12 ms 12 ms 62.252.29.56
10 12 ms 12 ms 12 ms 81.0.194.2
11 14 ms 12 ms 12 ms 85.13.140.202
12 12 ms 12 ms 12 ms 85.13.140.202
13 11 ms 11 ms 11 ms 85.13.140.202
Trace complete.
But when trying the same from the internal network:
>tracert 85.13.140.202
Tracing route to 85.13.140.202 over a maximum of 30 hops
1 3 ms <1 ms <1 ms 192.168.0.2
2 <1 ms <1 ms <1 ms 192.168.255.1
3 1 ms 1 ms 1 ms 192.168.244.1
4 1 ms <1 ms <1 ms 81.0.194.2
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
Router Config Looks like this:
!
interface GigabitEthernet0/1
description [ To Internet Gateway Router ]
ip address 81.0.194.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex full
speed auto
!
interface GigabitEthernet0/2
description [ Internal Interface ]
ip address 192.168.244.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat inside
ip virtual-reassembly in
duplex full
speed auto
!
ip nat inside source route-map internet interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.55.202 85.13.140.202 extendable
ip route 0.0.0.0 0.0.0.0 81.0.194.2
ip route 192.168.55.0 255.255.255.0 192.168.244.2
It looks like when traffic is going from inside network it gets routed out the internet interface instead of back inside the network?
Thanks
Solved! Go to Solution.
01-11-2018 09:22 AM - edited 01-11-2018 09:23 AM
Hello
You probably need to use NVI (Domainless nat) and something called hairpinning
try this:
no ip nat inside source route-map internet interface GigabitEthernet0/1 overload
no ip nat inside source static 192.168.55.202 85.13.140.202 extendable
ip nat source route-map internet interface GigabitEthernet0/1 overload
ip nat source static 192.168.55.202 85.13.140.202 extendable
int gig0/1
no ip nat outside
ip nat enable
no ip redirects
int gig0/2
no ip nat inside
ip nat enable
res
Paul
01-11-2018 09:22 AM - edited 01-11-2018 09:23 AM
Hello
You probably need to use NVI (Domainless nat) and something called hairpinning
try this:
no ip nat inside source route-map internet interface GigabitEthernet0/1 overload
no ip nat inside source static 192.168.55.202 85.13.140.202 extendable
ip nat source route-map internet interface GigabitEthernet0/1 overload
ip nat source static 192.168.55.202 85.13.140.202 extendable
int gig0/1
no ip nat outside
ip nat enable
no ip redirects
int gig0/2
no ip nat inside
ip nat enable
res
Paul
01-11-2018 11:39 PM - edited 01-11-2018 11:41 PM
Hi,
@paul driver I agree with you and this is a perfect answer to his query. But he will face Slow Internet speed issue after enable "IP NAT Enable" on interfaces.
I hope a good solution for him to redirect DNS entry (On Internal DNS Server) with Private IP instead of Public IP.
Thanks,
Deepak Kumar
01-12-2018 02:47 AM
Hello Deepak
@Deepak Kumar wrote:
Hi,
@paul driver I agree with you and this is a perfect answer to his query. But he will face Slow Internet speed issue after enable "IP NAT Enable" on interfaces.
Can you elaborate on this please?
res
Paul
01-12-2018 03:30 AM
@paul driver wrote:
Hello Deepak
@Deepak Kumar wrote:
Hi,
@paul driver I agree with you and this is a perfect answer to his query. But he will face Slow Internet speed issue after enable "IP NAT Enable" on interfaces.
Can you elaborate on this please?
resPaul
Hi,
@paul driver I was tested the same in my lab and office. I didn't go into major troubleshooting due to some other pending task. But I found some articles for same and they are also reported the same issue. I am sharing few links with you:
https://networkengineering.stackexchange.com/questions/25383/cisco-nat-hairpinning
https://layer77.net/2016/02/10/nat-hairpinning-on-cisco-isr/
If you have any update, Please share with us.
Thanks,
Deepak Kumar
01-13-2018 03:44 AM
'Hairpinning' was the keyword I was missing. I haven't implemented it yet but it's exactly what I was looking for.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide