Solved: NAT reflection (NAT hairpin) on a Cisco Router - Page 4

chartierpw · ‎12-27-2017

Hi guys,

I relatively new to routers and how they work and I've been struggling with this issue for months and cannot seem to solve it. I want to access my web server via the public IP address on my internal network. I know it can be done (apparently) by reading the discussion at this link:

https://supportforums.cisco.com/t5/wan-routing-and-switching/how-to-do-nat-reflection-nat-hairpin-on-a-cisco-1800-router/td-p/2754725

But I cannot get it working on my router. Just so you know, I have no idea what I'm doing and I have figured things out by searching the internet for examples (I cannot even tell you what router I have and the version of the software on it, I just don't have any idea how to figure THAT out), but for this issue I'm going to need help. I've read and reread on how things work and they may as well be written in Greek for all that I can understand, so trying to get me to understand how it all works is (apparently) useless. In any event, if someone is willing to work with me in configuring my router I would be forever grateful.

My basic configuration is the Cisco router providing access to the internet and all NAT translations are done on it. I have a wireless Linksys router connected to the Cisco router over which I connect my laptop and other devices that need to access my servers internally over the public IP address from the laptop. I cannot use the host table to solve this problem because the other devices that do not have that capability and they would need to access the server via the public IP address, I currently use the host table on the laptop to access the servers from it but need to change that. Can anyone walk me through this?

R/

Prescott ....

paul driver · ‎12-31-2017

I quite sure it isn’t the rtr but maybe the client however - msg me and we’ll sort something out - wouldn’t like to leave you without any resolution

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

chartierpw · ‎01-01-2018

Paul,

I was able to figure it out. I needed to add to each ip enabled interface the command "no ip redirects". I can now access my servers from inside my local intranet using the public ip address!! Whoo Hoo!!

R/

Prescott ...

chartierpw · ‎12-29-2017

I have no idea what a "GNS3" is or how to get one. I have never used a router simulator.

R/

Prescott ...

dastrix80 · ‎08-10-2018

Hi All

Ive got a similiar issue, trying to hit the Public IP (which is given to my via DHCP from my ISP) of my Translatted server.

It has a private ip of 192.168.0.141 but all hosts, LAN and WAN need to hit its natted IP

Ive enabled NVI but still am unable to access it :(

IP redirects is off

Cheers

paul driver · ‎08-11-2018

Hello

can you post the configuration of your router please?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dastrix80 · ‎08-11-2018

Thanks for the fast reply Paul.

See attached

ip dhcp excluded-address 192.168.0.1 192.168.0.20
ip dhcp excluded-address 192.168.0.142 192.168.0.254
ip dhcp excluded-address 192.168.0.50 192.168.0.109
ip dhcp excluded-address 192.168.0.111 192.168.0.140
!
ip dhcp pool LAN
 network 192.168.0.0 255.255.255.0
 dns-server 202.142.142.142 192.168.0.254
 default-router 192.168.0.254
 lease infinite
!
ip dhcp pool STATIC
 host 192.168.0.141 255.255.255.0
 client-identifier 011c.cae3.7106.fd
 client-name Doorbird
 default-router 192.168.0.254
!
!
!
ip domain name dastrix80
ip host dastrix80.ddns.net 192.168.0.254
ip host grafana80.ddns.net 192.168.0.3
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
voice-card 0
!
!
!
voice service voip
 ip address trusted list
  ipv4 0.0.0.0 0.0.0.0
 allow-connections sip to sip
 h323
  call service stop
 sip
 registrar server expires max 1200 min 300
!
!
!
!
voice register global
 mode cme
 source-address 192.168.0.254 port 5060
 max-dn 10
 max-pool 10
 auto-register
 !
!
voice register dn  1
 number 1001
 name Doorbird
!
voice register dn  2
 number 1002
 name Note8
!
voice register dn  3
 number 1003
 name Laptop
!
voice register pool  1
 id mac 1CCA.E371.06FD
 number 1 dn 1
 username 1001 password 456456
 codec g711ulaw
!
voice register pool  2
 id mac 04D6.AA29.649C
 number 1 dn 2
 username 1002 password 789789
 codec g711ulaw
!
voice register pool  3
 id mac 0011.1111.1111
 number 1 dn 3
 username 1003 password 123123
 codec g711ulaw
!
bridge-domain 1
 member GigabitEthernet0/1 service-instance 1
!
!
!
!
class-map type inspect match-any WAN-to-LAN
 match access-group name VOIP
 match access-group name RDP
 match access-group name SSH
 match protocol sip
 match access-group name HTTP-HTTPS
 match protocol rtsp
class-map type inspect match-all LAN-to-WAN
 match access-group name LAN-to-WAN
!
policy-map type inspect WAN-to-LAN
 description "Permits inbound to LAN from WAN"
 class type inspect WAN-to-LAN
  inspect
 class class-default
  drop
policy-map type inspect LAN-to-WAN
 description "Permits all traffic from the LAN to the WAN"
 class type inspect LAN-to-WAN
  inspect
 class class-default
  drop
!
zone security LAN
 description "Towards 192.168.0.x"
zone security WAN
 description "Towards NBN"
zone-pair security LAN-to-WAN source LAN destination WAN
 description "Ties the LAN to the WAN"
 service-policy type inspect LAN-to-WAN
zone-pair security WAN-to-LAN source WAN destination LAN
 description "Protect WAN interface"
 service-policy type inspect WAN-to-LAN
!
!
bridge irb
!
!
!
!
interface Loopback0
 no ip address
!
interface Embedded-Service-Engine0/0
 no ip address
 service-module enable
!
interface GigabitEthernet0/0
 description "NBN HFC Aussie BroadBand 100/40"
 ip address dhcp
 no ip redirects
 ip nat enable
 zone-member security WAN
 load-interval 30
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description "Local LAN 192.168.0.0/24"
 no ip address
 no ip redirects
 ip nat enable
 zone-member security LAN
 duplex auto
 speed 1000
 bridge-group 1
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet1/0
 description "Link to Gig-SW-Module"
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/1
 description Internal switch interface connected to EtherSwitch Service Module
 no ip address
!
interface ucse4/0
 description "Link to UCS-E-140D"
 no ip address
 service-module heartbeat-reset disable
 imc ip address 192.168.0.6 255.255.255.0 default-gateway 192.168.0.254
 imc access-port dedicated
!
interface ucse4/1
 no ip address
!
interface Vlan1
 description "Link to the 192.168.0.x LAN"
 ip address 192.168.0.254 255.255.255.0
!
 no ip redirects
 ip nat enable
 zone-member security LAN
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
!
no ip ftp passive
ip ftp source-interface GigabitEthernet0/1
ip ftp username kris
ip ftp password 7 030F490215
ip dns server
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat source static tcp 192.168.0.3 3001 interface GigabitEthernet0/0 3001
ip nat source static tcp 192.168.0.2 443 interface GigabitEthernet0/0 6164
ip nat source static tcp 192.168.0.4 3389 interface GigabitEthernet0/0 6169
ip nat source static tcp 192.168.0.3 3000 interface GigabitEthernet0/0 3000
ip nat source static tcp 192.168.0.3 22 interface GigabitEthernet0/0 6165
ip nat source static tcp 192.168.0.4 82 interface GigabitEthernet0/0 6166
ip nat source static tcp 192.168.0.254 5060 interface GigabitEthernet0/0 5060
ip nat source list LAN-NAT interface GigabitEthernet0/0 overload
ip nat source static tcp 192.168.0.141 80 interface GigabitEthernet0/0 6168
ip nat source static tcp 192.168.0.10 3389 interface GigabitEthernet0/0 6150
ip nat source static tcp 192.168.0.3 8080 interface GigabitEthernet0/0 6170
ip ssh source-interface Vlan1
ip ssh rsa keypair-name ssh
ip ssh version 2
!
ip access-list extended HTTP-HTTPS
 permit tcp any host 192.168.0.141 eq www
 permit tcp any host 192.168.0.3 eq 8080
 permit tcp any host 192.168.0.3 eq 3001
 permit tcp any host 192.168.0.4 eq 82
 permit tcp any host 192.168.0.3 eq www
 permit tcp any host 192.168.0.2 eq 443
 permit tcp any host 192.168.0.3 eq 6170
ip access-list extended LAN-NAT
 remark NATs all the LAN hosts to the WAN

 permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended RDP
 remark Permits RDP to BlueIris & Laptop
 permit tcp any host 192.168.0.4 eq 3389
 permit tcp any host 192.168.0.10 eq 3389
ip access-list extended SSH
 permit tcp any host 192.168.0.3 eq 22
ip access-list extended VOIP
 permit tcp any host 203.129.27.127
 permit udp any host 203.129.27.127
 permit tcp any host 192.168.0.254 eq 5060
 permit udp any host 192.168.0.254 eq 5060
 permit udp any host 192.168.0.254 range 16384 16390
!
!
nls resp-timeout 1

paul driver · ‎08-11-2018

Hello

Your nat statements looks okay, I am more inline to think its the ZBFW prohibiting the connection.

Can you amend the class-map type inspect match-all LAN-to-WAN so it will match on any traffic specified within it?

class-map type inspect match-any LAN-to-WAN and then include the following:

class-map type inspect match-any LAN-to-WAN
match access-group name LAN-to-WAN
match protocol https
match protocol http

Naturally you will have to remove the class-map form the policy map before hand

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dastrix80 · ‎08-11-2018

Thanks Paul

the issue remains

New config:

!
class-map type inspect match-any WAN-to-LAN
match access-group name VOIP
match access-group name RDP
match access-group name SSH
match protocol sip
match access-group name HTTP-HTTPS
match protocol rtsp
class-map type inspect match-any LAN-to-WAN
match access-group name LAN-to-WAN
match protocol https
match protocol http
!
policy-map type inspect WAN-to-LAN
description "Permits inbound to LAN from WAN"
class type inspect WAN-to-LAN
inspect
class class-default
drop
policy-map type inspect LAN-to-WAN
description "Permits all traffic from the LAN to the WAN"
class class-default
drop
!
zone security LAN
description "Towards 192.168.0.x"
zone security WAN
description "Towards NBN"
zone-pair security LAN-to-WAN source LAN destination WAN
description "Ties the LAN to the WAN"
service-policy type inspect LAN-to-WAN
zone-pair security WAN-to-LAN source WAN destination LAN
description "Protect WAN interface"
service-policy type inspect WAN-to-LAN
!
!

paul driver · ‎08-11-2018

Hello

i forgot to ask does nat work for all other translations?

sh ip nvi nat translations

Could you also try and add the protocol http in the wan- lan class map and test

Also Just to confirm it’s a iOS Fw issue or not is it possible for you to remove zbfw and test if it works then without the iOS Fw

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dastrix80 · ‎08-11-2018

HI Paul

It works for the translations outbound from the PCs and so on. Nothing works inbound (ie an RDP session from a 4G mobile host to an internal server or a connection to the public IP of an internal server)

Ive removed the Zone fw, but I cannot access the internal host using its public ip.

Not sure if doing the NAT on the VLAN is ok - I do this as the 3945 ha a 24 port switch module internally.

3945-KK#show ip nat nvi translations
Pro Source global      Source local       Destin local      Destin global
tcp 203.129.27.127:6170 192.168.0.3:8080 ---                ---
tcp 203.129.27.127:52792 192.168.0.4:52792 64.233.188.125:5222 64.233.188.125:5222
tcp 203.129.27.127:52894 192.168.0.4:52894 40.69.218.62:443 40.69.218.62:443
tcp 203.129.27.127:41793 192.168.0.5:41793 104.199.240.232:4070 104.199.240.232:4070
tcp 203.129.27.127:41794 192.168.0.5:41794 104.199.240.232:4070 104.199.240.232:4070
tcp 203.129.27.127:41800 192.168.0.5:41800 104.199.240.232:4070 104.199.240.232:4070
tcp 203.129.27.127:6150 192.168.0.10:3389 ---                ---
udp 203.129.27.127:49340 192.168.0.10:49340 202.142.142.142:53 202.142.142.142:53
udp 203.129.27.127:49355 192.168.0.10:49355 202.142.142.142:53 202.142.142.142:53
udp 203.129.27.127:49412 192.168.0.10:49412 202.142.142.142:53 202.142.142.142:53
udp 203.129.27.127:49417 192.168.0.10:49417 202.142.142.142:53 202.142.142.142:53
udp 203.129.27.127:49473 192.168.0.10:49473 202.142.142.142:53 202.142.142.142:53
udp 203.129.27.127:49499 192.168.0.10:49499 202.142.142.142:53 202.142.142.142:53
udp 203.129.27.127:49582 192.168.0.10:49582 202.142.142.142:53 202.142.142.142:53
udp 203.129.27.127:49696 192.168.0.10:49696 202.142.142.142:53 202.142.142.142:53
tcp 203.129.27.127:49767 192.168.0.10:49767 64.233.188.189:443 64.233.188.189:443
tcp 203.129.27.127:49780 192.168.0.10:49780 157.240.8.38:443 157.240.8.38:443
tcp 203.129.27.127:49804 192.168.0.10:49804 157.240.8.18:443 157.240.8.18:443
udp 203.129.27.127:49804 192.168.0.10:49804 202.142.142.142:53 202.142.142.142:53
tcp 203.129.27.127:49806 192.168.0.10:49806 34.213.135.138:443 34.213.135.138:443
tcp 203.129.27.127:49850 192.168.0.10:49850 157.240.8.23:443 157.240.8.23:443
udp 203.129.27.127:49851 192.168.0.10:49851 202.142.142.142:53 202.142.142.142:53
udp 203.129.27.127:49856 192.168.0.10:49856 202.142.142.142:53 202.142.142.142:53
udp 203.129.27.127:49868 192.168.0.10:49868 202.142.142.142:53 202.142.142.142:53
udp 203.129.27.127:49885 192.168.0.10:49885 202.142.142.142:53 202.142.142.142:53

dastrix80 · ‎08-11-2018

Some very odd behaviour going on.

Some entries appear to work

I can get to one host using its Public IP and PAT port, 6170 without issue. When I turn the ZBF back on, it fails.

Alot of the others are not working.

3945-KK#show ip nat nvi trans tcp | inc 6170
tcp 66.102.6.46:39123 66.102.6.46:39123 203.129.27.127:6170 192.168.0.3:8080
tcp 66.102.6.46:64046 66.102.6.46:64046 203.129.27.127:6170 192.168.0.3:8080
tcp 66.102.6.48:61240 66.102.6.48:61240 203.129.27.127:6170 192.168.0.3:8080
tcp 66.102.6.48:63716 66.102.6.48:63716 203.129.27.127:6170 192.168.0.3:8080
tcp 66.102.6.50:53021 66.102.6.50:53021 203.129.27.127:6170 192.168.0.3:8080
tcp 66.102.6.50:55573 66.102.6.50:55573 203.129.27.127:6170 192.168.0.3:8080
tcp 66.102.6.50:56512 66.102.6.50:56512 203.129.27.127:6170 192.168.0.3:8080
tcp 66.102.6.50:64770 66.102.6.50:64770 203.129.27.127:6170 192.168.0.3:8080
tcp 66.102.6.167:62080 66.102.6.167:62080 203.129.27.127:6170 192.168.0.3:8080
tcp 66.102.6.169:40530 66.102.6.169:40530 203.129.27.127:6170 192.168.0.3:8080
tcp 203.129.27.127:6170 192.168.0.3:8080 --- ---
tcp 203.129.27.127:51444 192.168.0.10:51444 203.129.27.127:6170 192.168.0.3:8080
tcp 203.129.27.127:51445 192.168.0.10:51445 203.129.27.127:6170 192.168.0.3:8080
tcp 203.129.27.127:51446 192.168.0.10:51446 203.129.27.127:6170 192.168.0.3:8080
tcp 203.129.27.127:51447 192.168.0.10:51447 203.129.27.127:6170 192.168.0.3:8080
tcp 203.129.27.127:51448 192.168.0.10:51448 203.129.27.127:6170 192.168.0.3:8080
tcp 203.129.27.127:51449 192.168.0.10:51449 203.129.27.127:6170 192.168.0.3:8080
tcp 203.129.27.127:51472 192.168.0.10:51472 203.129.27.127:6170 192.168.0.3:8080
tcp 203.129.27.127:51488 192.168.0.10:51488 203.129.27.127:6170 192.168.0.3:8080
tcp 203.129.27.127:58158 192.168.0.23:58158 203.129.27.127:6170 192.168.0.3:8080

paul driver · ‎08-11-2018

Hello

okay whilst we troubshoot this can you keep the zbfw off?

Can you add the following

Ip route 0.0.0.0 0.0.0.0 gig0/0 dhcp

bridge 1 protocol ieee

bridge 1 route ip

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dastrix80 · ‎08-11-2018

Hi Paul

Sure, ill keep it off.

Added the route, no change. The host on 6170 continues to work, the others fail.

3945-KK#show ip nat nvi translations tcp | inc 6168
tcp 203.129.27.127:51849 192.168.0.10:51849 203.129.27.127:6168 192.168.0.141:80
tcp 203.129.27.127:51850 192.168.0.10:51850 203.129.27.127:6168 192.168.0.141:80
tcp 203.129.27.127:51851 192.168.0.10:51851 203.129.27.127:6168 192.168.0.141:80
tcp 203.129.27.127:51852 192.168.0.10:51852 203.129.27.127:6168 192.168.0.141:80
tcp 203.129.27.127:6168 192.168.0.141:80 --- ---
3945-KK#show ip nat nvi trans tcp | inc 6170
tcp 1.129.111.232:7991 1.129.111.232:7991 203.129.27.127:6170 192.168.0.3:8080
tcp 203.129.27.127:6170 192.168.0.3:8080 --- ---
tcp 203.129.27.127:51703 192.168.0.10:51703 203.129.27.127:6170 192.168.0.3:8080
tcp 203.129.27.127:51745 192.168.0.10:51745 203.129.27.127:6170 192.168.0.3:8080
tcp 203.129.27.127:51848 192.168.0.10:51848 203.129.27.127:6170 192.168.0.3:8080
tcp 203.129.27.127:58158 192.168.0.23:58158 203.129.27.127:6170 192.168.0.3:8080
3945-KK#

dastrix80 · ‎08-11-2018

Hi Paul

So i took off the static entries and readded them one by one, testing them. So far so good, from my Mobile on the wireless network, I can hit the hosts with the ZBF OFF.

Now for the ZBF issue

paul driver · ‎08-11-2018

Hello

okay add the match protocols to the wan- lan class map make sure they are the top of the class- map

then-

clear up nvi nat translations *

clear ip arp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul