Showing results for 
Search instead for 
Did you mean: 

Loopback, inside-inside NAT, NAT on Stick configurations for server access with Public IP

Hi All.

I've come up with this problem and I'm not sure how to configure that properly. So I'll be a very appretiate to get help from experts. I was reading a Cisco's manual about NAT on Stick configuration, inside-inside NAT and many discussions, but still not sure how to implement that in my case.

Below you can find an attached file with nework diagram.

The problem is that users in office have iPhones, so they connect to office LAN by WIi-Fi to connect to Exchange Server ( to get their e-mails, but they can't because iPhone Exchange connection is configured with Public IP ( They can connect to Exchange if they use outside internet connection or 3G data connection on iPhones, but not local connection. The PCs and Laptops (using Wi-Fi connection) can connect to Exchange internally without problems. Before that they had a Netgear router which was configured with a Loopback for that.

The existing network is fully operational so I can't really play around as people work there, so I need to be sure when I add my Loopback configuration there will be no distruption.

The existing router configuration:

887#sh ip int brie

Interface                  IP-Address                OK? Method Status                          Protocol

ATM0                       unassigned                YES NVRAM  up                                   up

Cellular0                  unassigned                YES NVRAM  standby mode          down

Dialer0                    unassigned                YES NVRAM  up                                   up

Dialer1                       YES IPCP   up                                        up

Dialer2                    unassigned                YES IPCP   up                                        up

FastEthernet0              unassigned           YES unset  up                                   down

FastEthernet1              unassigned           YES unset  up                                   down

FastEthernet2              unassigned           YES unset  up                                   down

FastEthernet3              unassigned           YES unset  up                                   down

NVI0                                 unassigned           YES unset  administratively down down

Virtual-Access1            unassigned             YES unset  up                                   up

Vlan1                                YES NVRAM                                          up

887#sh run


interface FastEthernet0


interface FastEthernet1


interface FastEthernet2


interface FastEthernet3

description Trunk to Switch

switchport mode trunk


interface Vlan1

description **LAN**$FW_INSIDE$

ip address

ip nat inside

ip virtual-reassembly in


ip local policy route-map track-primary-if

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server



ip nat inside source route-map nat2cell interface Dialer2 overload

ip nat inside source route-map nat2dsl interface Dialer1 overload

ip nat inside source static tcp 25 25 extendable

ip nat inside source static tcp 443 443 extendable


ip route Dialer1 track 1

ip route Dialer2 100


ip access-list extended no-nat

remark *** Internet NAT Service ***

permit ip any



route-map track-primary-if permit 10

match ip address 103

set interface Dialer0 Dialer1


route-map nat2dsl permit 10

match ip address no-nat

match interface Dialer1


route-map nat2cell permit 10

match ip address no-nat

match interface Dialer2


route-map static-no-nat permit 20

match ip address static-no-nat


If I add that Loopback configuration, will it work? Or Do I need to re-configure VLAN, Fa0/3, NVI interfaces?

int Loopback0

     ip address

     ip nat outside

     ip virtual-reassembly

int VLAN1

     ip address secondary

     ip address

     ip nat inside

ip policy route-map NAT-loop

ip nat pool external netmask

ip nat inside source list 10 pool external overload

ip nat inside source static

access-list 10 permit

access-list 102 permit ip any

access-list 102 permit ip any

root-map NAT-loop permit 10

     match ip address 102

     set interface Loopback0

I saw that many NAT on stick configuration use an Ethernet interface, but I have VLAN interface. I'm not sure if I need to re-configure that to Fa or NVI interface and how?

Any help will be highly appretiated.


P.S. Firstly, I've tried NVI0 interface config with replacing ip nat (inside-outside) to ip nat enable, but it didn't work, as NVI0 is shutdown and I can't make it up.

Second attempt is configure subinterfaces on Fa3 port, but it didn't allow to do that.

Thirdly, If I configure Loopback0 interface, I can't use some commands like #ip policy route-map NAT; #int vlan1 - for second ip address.

Glenn Matthys

Although you could "fix" it using NAT, the correct way to configure Exchange is to allow it to be accessible via the internal network. Exchange has provisions to do that. Configuring Exchange in that manner is beyond this forum though.

Neeraj Arora

As per me the scenario of accessing the Exchange server using the public ip when sitting on the inside LAN is not possible with Cisco routers.

This can work if you can configure one-to-one Static NAT mapping for the exchange server private ip because then DNS doctoring will happen for the DNS response and the iPhones will actually receive the private ip address of Exchange server. And for this you need to have another ip address than your outside interface physical ip. It would look something like this:

ip nat inside source static

But other than that, NAT on a stick does not work well always and is not officially supported by Cisco as well. Have seen many Cisco TAC cases for this and everytime its the same answer.

Another point I would like to make here is: using loopback interface and by manipulating the traffic you might be able to reach till the Exchange server BUT the problem will ALWAYS come for the return traffic. I have tried to find a workaround for this many times and could not control the return traffic by any way. And yes some third party devices like Netgear routers will be able to accomplish this with much ease.

P.S: FYI Cisco ASA firewall can make it happen using Hairpinning technique but not routers

Check the following documents for more information:

Hope it helps


Hi Guys.

Thank you for your replies.

I'll try all your suggestions when I go on a site next time.

Glenn: I can't use DNS doctoring or internal/external DNS on the Server as they have SBS Server which is not allowing to put his own IP address for DNS forwarding. This is what I get from their IT guy:

"Was only able to add the router ( as a dns to the forwarders on the SBS DNS, would not allow me to add it's own IP address.

I know that on the Sonicwall it dose not matter about DNS, I have to put in a loop-back rule to make this work.
OR in Zyxel I have to change the ruel from WAN to to LAN "

Neeraj: So why is Netgear or Sonicwall can do this job with one click, and Cisco router cannot do that?

They have only one Public IP, so I can't use your rule.

Kristian: I'll try again your suggestion to use IP NAT ENABLE. But should  NVI0 be up? As I can't make it up.

Thanks a lot.