Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
303
Views
0
Helpful
5
Replies

Redirect request to interface IP address from internal DHCP clients.

Go to solution
varunoberoi
Level 1
Level 1

‎02-18-2025 08:59 AM

I am running a Cisco Catalyst C8200 Router and I have a static IP address provided by my ISP. I have recently added a web server to my network and configured port forwards for external requests via the static IP.

But when any DHCP client from inside my network tries to visit the static IP, the request gets timed out.

I understand I have to setup an ip route to redirect any internal requests. How would I do that and what does that command look like? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vishalbhandari
Spotlight
Spotlight

‎02-18-2025 09:26 AM

@varunoberoi This issue occurs because your internal clients are trying to reach your public static IP, but the router does not NAT hairpin (also known as NAT loopback) by default. Instead of using a static route, you need to configure NAT hairpin so that internal requests to the public IP get redirected to the internal server correctly.

To fix this, update your NAT configuration to allow internal traffic to be translated properly. Assuming your web server has an internal IP of 192.168.1.100 and your external interface is GigabitEthernet0/0, you can modify your NAT rules like this:

 

cisco
ip nat inside source static tcp 192.168.1.100 80 interface GigabitEthernet0/0 80 ip nat inside source static tcp 192.168.1.100 443 interface GigabitEthernet0/0 443

Then, ensure your LAN interface is marked as ip nat inside and the WAN interface as ip nat outside. If needed, you can also set up a local DNS override so internal clients resolve the server’s internal IP instead of the public one.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎02-18-2025 09:01 AM

Share config 

MHM

0 Helpful

Go to solution
varunoberoi
Level 1
Level 1

‎02-18-2025 09:11 AM

Router#
*Feb 18 16:58:28.087: %SYS-5-CONFIG_I: Configured from console by consolesh run
Building configuration...

Current configuration : 10797 bytes
!
! Last configuration change at 22:28:28 IST Tue Feb 18 2025
!
version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 9 $SECRET
enable password <password>
!
no aaa new-model
clock timezone IST 5 30
!
!
!
!
!
!
!
ip dhcp pool LAN1
network 10.1.0.0 255.255.240.0
default-router 10.1.0.1
dns-server 10.1.0.2 8.8.8.8
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-123123123
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-123123123
revocation-check none
rsakeypair TP-self-signed-123123123
!
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-123123123
certificate self-signed 01

<Long Certificate Info>


quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01

 

<Long License Code>

 


quit
!
!
!
!
!
!
!
!
!
license udi pid C8200L-1N-4T sn FGL2719LFFL
license boot level network-advantage addon dna-advantage
license smart url default
license smart url cslu http://<license_ip_server>/cslu/v1/pi
license smart transport smart
memory free low-watermark processor 67522
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username <password> privilege 15 password 0 <password>
!
redundancy
mode none
!
!
crypto ikev2 proposal std-vpn-proposal
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy wan1-vpn-policy
match address local xxx.xxx.xxx.xxx
proposal std-vpn-proposal
crypto ikev2 policy wan2-vpn-policy
match address local xxx.xxx.xxx.xxx
proposal std-vpn-proposal
!
crypto ikev2 keyring wan1-vpn-keyring
peer xxx.xxx.xxx.xxx
address xxx.xxx.xxx.xxx
pre-shared-key XYZXYZXYZXYZ
!
!
crypto ikev2 keyring wan2-vpn-keyring
peer xxx.xxx.xxx.xxx
address xxx.xxx.xxx.xxx
pre-shared-key XYZXYZXYZXYZ
!
!
!
crypto ikev2 profile wan1-vpn-profile
match address local xxx.xxx.xxx.xxx
match identity remote address xxx.xxx.xxx.xxx 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local wan1-vpn-keyring
lifetime 3600
dpd 10 5 on-demand
!
crypto ikev2 profile wan2-hansiwan1-vpn-profile
match address local xxx.xxx.xxx.xxx
match identity remote address xxx.xxx.xxx.xxx 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local wan2-hansiwan1-vpn-keyring
lifetime 3600
dpd 10 5 on-demand
!
!
!
!
!
!
!
!
!
!
!
!
crypto ipsec transform-set std-vpn-TransformSet esp-gcm 256
mode tunnel
!
!
crypto ipsec profile wan1-vpn-IPsecProfile
set transform-set std-vpn-TransformSet
set ikev2-profile wan1-vpn-profile
!
crypto ipsec profile wan2-vpn-IPsecProfile
set transform-set std-vpn-TransformSet
set ikev2-profile wan2-vpn-profile
!
!
!
!
!
!
!
!
!
interface Tunnel15
ip address 169.254.0.6 255.255.255.255
ip tcp adjust-mss 1350
tunnel source Dialer2
tunnel mode ipsec ipv4
tunnel destination xxx.xxx.xxx.xxx
tunnel protection ipsec profile wan2-hansiwan1-vpn-IPsecProfile
!
interface GigabitEthernet0/0/0
ip address 10.1.0.1 255.255.240.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface Dialer2
mtu 1492
ip address negotiated
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1442
dialer pool 2
dialer-group 2
ppp authentication pap callin
ppp pap sent-username <username> password 0 <password>
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip nat inside source static tcp 10.1.0.3 80 xxx.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp 10.1.0.3 443 xxx.xxx.xxx.xxx 443 extendable
ip nat inside source route-map wan2-nat interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 10.2.0.0 255.255.240.0 Tunnel15
!
!
!
ip access-list extended 100
10 permit ip 10.1.0.0 0.0.15.255 any
ip access-list extended 101
10 permit ip 10.1.0.0 0.0.15.255 10.0.0.0 0.0.1.255
20 permit ip 10.1.0.0 0.0.15.255 10.2.0.0 0.0.15.255
!
route-map wan2-nat permit 10
match ip address 100
match interface Dialer2
!
snmp-server community cisco RO
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
password xxxxxxxxx
login
transport input ssh
line vty 5 14
password xxxxxxxxx
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
!
!
end

0 Helpful

Go to solution
vishalbhandari
Spotlight
Spotlight

‎02-18-2025 09:26 AM

@varunoberoi This issue occurs because your internal clients are trying to reach your public static IP, but the router does not NAT hairpin (also known as NAT loopback) by default. Instead of using a static route, you need to configure NAT hairpin so that internal requests to the public IP get redirected to the internal server correctly.

To fix this, update your NAT configuration to allow internal traffic to be translated properly. Assuming your web server has an internal IP of 192.168.1.100 and your external interface is GigabitEthernet0/0, you can modify your NAT rules like this:

 

cisco
ip nat inside source static tcp 192.168.1.100 80 interface GigabitEthernet0/0 80 ip nat inside source static tcp 192.168.1.100 443 interface GigabitEthernet0/0 443

Then, ensure your LAN interface is marked as ip nat inside and the WAN interface as ip nat outside. If needed, you can also set up a local DNS override so internal clients resolve the server’s internal IP instead of the public one.

0 Helpful

Go to solution
Joshqun Ismayilov
Level 1
Level 1

‎02-18-2025 09:46 AM

@varunoberoi  

There @vishalbhandari  is correct. you need to use  NAT hairpinning to redirect internal requests back to the server.
let me share my confid also

#ip access-list extended NAT_HAIRPIN
permit tcp 10.1.0.0 0.0.15.255 host xxx.xxx.xxx.xxx eq 80
permit tcp 10.1.0.0 0.0.15.255 host xxx.xxx.xxx.xxx eq 443

#ip nat inside source list NAT_HAIRPIN interface Dialer2 overload

#ip nat inside source static tcp 10.1.0.3 80 xxx.xxx.xxx.xxx 80 extendable
#ip nat inside source static tcp 10.1.0.3 443 xxx.xxx.xxx.xxx 443 extendable

Thanks!



0 Helpful

Go to solution
varunoberoi
Level 1
Level 1

‎02-18-2025 11:44 AM

 So I tried as recommended but the thing that finally worked was setting up a local DNS server. Thankfully we are on a domain controller so setting that up for all clients was simple enough. Thanks.

0 Helpful
Customers Also Viewed These Support Documents