Solved: NAT Problem from internal network

adrian.mulgrew · ‎01-11-2018

Hello,

We have a router NATing a number of public IPs to internal Private IPs. It works fine when connecting from Outside the network. But fails when trying to connect from a different VLAN behind the same router on our internal network.

E.G.

This is from Internet which works fine:

tracert -d 85.13.140.202

Tracing route to 85.13.140.202 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms x.x.x.x
2 1 ms 2 ms <1 ms x.x.x.x
3 1 ms <1 ms <1 ms x.x.x.x
4 2 ms 1 ms 1 ms 62.255.158.211
5 6 ms 7 ms 4 ms 213.104.146.109
6 * * * Request timed out.
7 5 ms 5 ms 5 ms 80.0.0.86
8 47 ms 8 ms 230 ms 80.0.0.10
9 12 ms 12 ms 12 ms 62.252.29.56
10 12 ms 12 ms 12 ms 81.0.194.2
11 14 ms 12 ms 12 ms 85.13.140.202
12 12 ms 12 ms 12 ms 85.13.140.202
13 11 ms 11 ms 11 ms 85.13.140.202

Trace complete.

But when trying the same from the internal network:

>tracert 85.13.140.202

Tracing route to 85.13.140.202 over a maximum of 30 hops

1 3 ms <1 ms <1 ms 192.168.0.2
2 <1 ms <1 ms <1 ms 192.168.255.1
3 1 ms 1 ms 1 ms 192.168.244.1
4 1 ms <1 ms <1 ms 81.0.194.2
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.

Router Config Looks like this:
!
interface GigabitEthernet0/1
description [ To Internet Gateway Router ]
ip address 81.0.194.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex full
speed auto
!
interface GigabitEthernet0/2
description [ Internal Interface ]
ip address 192.168.244.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat inside
ip virtual-reassembly in
duplex full
speed auto
!

ip nat inside source route-map internet interface GigabitEthernet0/1 overload

ip nat inside source static 192.168.55.202 85.13.140.202 extendable

ip route 0.0.0.0 0.0.0.0 81.0.194.2
ip route 192.168.55.0 255.255.255.0 192.168.244.2

It looks like when traffic is going from inside network it gets routed out the internet interface instead of back inside the network?

Thanks

paul driver · ‎01-11-2018

Hello

You probably need to use NVI (Domainless nat) and something called hairpinning

try this:

no ip nat inside source route-map internet interface GigabitEthernet0/1 overload

no ip nat inside source static 192.168.55.202 85.13.140.202 extendable

ip nat source route-map internet interface GigabitEthernet0/1 overload

ip nat source static 192.168.55.202 85.13.140.202 extendable

int gig0/1
no ip nat outside
ip nat enable
no ip redirects

int gig0/2
no ip nat inside
ip nat enable

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎01-11-2018

Hello

You probably need to use NVI (Domainless nat) and something called hairpinning

try this:

no ip nat inside source route-map internet interface GigabitEthernet0/1 overload

no ip nat inside source static 192.168.55.202 85.13.140.202 extendable

ip nat source route-map internet interface GigabitEthernet0/1 overload

ip nat source static 192.168.55.202 85.13.140.202 extendable

int gig0/1
no ip nat outside
ip nat enable
no ip redirects

int gig0/2
no ip nat inside
ip nat enable

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Deepak Kumar · ‎01-11-2018

Hi,

@paul driver I agree with you and this is a perfect answer to his query. But he will face Slow Internet speed issue after enable "IP NAT Enable" on interfaces.

I hope a good solution for him to redirect DNS entry (On Internal DNS Server) with Private IP instead of Public IP.

Thanks,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

paul driver · ‎01-12-2018

Hello Deepak

@Deepak Kumar wrote:

Hi,

@paul driver I agree with you and this is a perfect answer to his query. But he will face Slow Internet speed issue after enable "IP NAT Enable" on interfaces.

Can you elaborate on this please?

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Deepak Kumar · ‎01-12-2018

@paul driver wrote:

Hello Deepak

@Deepak Kumar wrote:

Hi,

@paul driver I agree with you and this is a perfect answer to his query. But he will face Slow Internet speed issue after enable "IP NAT Enable" on interfaces.

Can you elaborate on this please?

res

Paul

Hi,

@paul driver I was tested the same in my lab and office. I didn't go into major troubleshooting due to some other pending task. But I found some articles for same and they are also reported the same issue. I am sharing few links with you:

https://networkengineering.stackexchange.com/questions/25383/cisco-nat-hairpinning

https://layer77.net/2016/02/10/nat-hairpinning-on-cisco-isr/

If you have any update, Please share with us.

Thanks,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

adrian.mulgrew · ‎01-13-2018

'Hairpinning' was the keyword I was missing. I haven't implemented it yet but it's exactly what I was looking for.

Thanks!