Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

NAT HAIRPINNING

Hi! who can paste a sample of an NAT HAIRPINNING running config for Cisco IOS?

Thank's.

Gigi

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: NAT HAIRPINNING

Luigi,

Here you go:

ip access-list standard PBR

permit 10.0.1.0 0.0.0.255

!

route-map PBRNAT permit 10

match ip address PBR

set interface Loopback0

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0

ip address 192.0.2.1 255.255.255.0 secondary

ip address 10.0.1.1 255.255.255.0

ip nat outside

ip policy route-map PBRNAT

!

ip nat pool NATPOOL 192.0.2.11 192.0.2.20 prefix-length 24

ip nat inside source list PBR pool NATPOOL overload

Alternatively, the new way of configuring of NAT-on-stick using a so-called NVI is as follows:

interface FastEthernet0/0

ip address 192.0.2.1 255.255.255.0 secondary

ip address 10.0.1.1 255.255.255.0

no ip redirects

ip nat enable

!

ip nat pool NATPOOL 192.0.2.11 192.0.2.20 prefix-length 24

ip nat source list NAT pool NATPOOL overload

!

ip access-list standard NAT

permit 10.0.1.0 0.0.0.255

While these simple examples should be self-explanatory, please feel welcome to ask further.

Best regards,

Peter

Re: NAT HAIRPINNING

Hello

Nat on a stick is basically used when you usually have only one physical interface on the router and you have a requirement to perform nat translation say on your internal network.

As nat basically requires two physical interfaces towork you can utilise a virtual interface of the router ( in this case the loopback)

In the example peter has posted the secondary IP address on the physical interface would be for a next hop segment lets say of an external network and utilising NAT-pining ( nat on a stick) you would be able to nat traffic internal /external from the same physical interface.

As you can see any LAN traffic that matches the acl and comes from the LAN on the physical interface (fa0/0) is PBR'd to the loopback 0 interface (inside nat) where then nat translation is performed towards the same physical interface fa0/0 (outside nat) from the IP address range defined in the nat pool (which as you can see matches the secondary IP address range of the physical interface )


Res
Paul


Sent from Cisco Technical Support iPad App

Please don't forget to rate any posts that have been helpful. Thanks.
9 REPLIES
Cisco Employee

Re: NAT HAIRPINNING

Luigi,

Here you go:

ip access-list standard PBR

permit 10.0.1.0 0.0.0.255

!

route-map PBRNAT permit 10

match ip address PBR

set interface Loopback0

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0

ip address 192.0.2.1 255.255.255.0 secondary

ip address 10.0.1.1 255.255.255.0

ip nat outside

ip policy route-map PBRNAT

!

ip nat pool NATPOOL 192.0.2.11 192.0.2.20 prefix-length 24

ip nat inside source list PBR pool NATPOOL overload

Alternatively, the new way of configuring of NAT-on-stick using a so-called NVI is as follows:

interface FastEthernet0/0

ip address 192.0.2.1 255.255.255.0 secondary

ip address 10.0.1.1 255.255.255.0

no ip redirects

ip nat enable

!

ip nat pool NATPOOL 192.0.2.11 192.0.2.20 prefix-length 24

ip nat source list NAT pool NATPOOL overload

!

ip access-list standard NAT

permit 10.0.1.0 0.0.0.255

While these simple examples should be self-explanatory, please feel welcome to ask further.

Best regards,

Peter

New Member

Re: NAT HAIRPINNING

Dear Peter,

Finally i've found a person who don't look me as a crazy when I talk about Hairpinning!! :-D

That's great!!

First, i want to thank you for your fast answer, and the probable solution. But before I apply changes on my router configuration, because is a production router, I would to ask you another pair of things that are unclear for me.

For example, I make a draft of my topology, and designed what I need to do in that topology:

NAT Hairpin.jpg

With this scenario, I would to reach my webserver from my internal LAN, on public IP of the web server (in this case 10.10.10.154). As we know, with a "normal" configuration my HTTP request fail, because my request to 10.10.10.154 from 192.168.100.10 goes toward the router, who knows that 10.10.10.154 is statically natted to 192.168.100.254, then he route our packet directly to 192.168.100.254 without go out from our LAN. The web server see the HTTP request from 192.168.100.10 then reply directly to that IP. The 3-way Handshake fail because our PC expects a reply from 10.10.10.154 and not from 192.168.100.254.

Now...this is my configuration:

-- omitted --

interface FastEthernet0/0

ip address 10.10.10.146 255.255.255.240

ip nat outside

ip virtual-reassembly max-reassemblies 1024

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

ip address 192.168.100.254 255.255.255.0

ip nat inside

ip virtual-reassembly max-reassemblies 1024

!

ip route 0.0.0.0 0.0.0.0 10.10.10.145

!

ip nat pool 100net 10.10.10.146 10.10.10.146 netmask 255.255.255.240

ip nat inside source list NAT100net pool 100net overload

ip nat inside source stati 192.168.100.246 10.10.10.154 exendable

!

ip access-list extended NAT100net

permit ip 192.168.100.0 0.0.0.255 any

-- omitted --

Now, based on your answers, and on my topology, I can't understand something, then I've some question to do for you :-)

1) Why you configure 2 IP addresses on the same interface for both your examples?

2) What is the difference between NAT Hairpin and NAT-On-A-Stick? How it works in detail NAT on-a-stick? How can recognize "inside and outside" without specify them?

3) NAT-On-A-Stick can be expensive for router's CPU ?

4) Which can be a working configuration for my topology?

Thank's for your grate commitment, I thank you in advance for your answers!!

Best regards,

Gigi

Re: NAT HAIRPINNING

Hello

Nat on a stick is basically used when you usually have only one physical interface on the router and you have a requirement to perform nat translation say on your internal network.

As nat basically requires two physical interfaces towork you can utilise a virtual interface of the router ( in this case the loopback)

In the example peter has posted the secondary IP address on the physical interface would be for a next hop segment lets say of an external network and utilising NAT-pining ( nat on a stick) you would be able to nat traffic internal /external from the same physical interface.

As you can see any LAN traffic that matches the acl and comes from the LAN on the physical interface (fa0/0) is PBR'd to the loopback 0 interface (inside nat) where then nat translation is performed towards the same physical interface fa0/0 (outside nat) from the IP address range defined in the nat pool (which as you can see matches the secondary IP address range of the physical interface )


Res
Paul


Sent from Cisco Technical Support iPad App

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Re: NAT HAIRPINNING

Ok Paul, but how can I use that technology refer on my topology? please, give me the solution, not only explanation, even if the explanation is always welcome.

For example. As you can see I've 2 interfaces available (Inside Fa0/1 and Outside Fa0/0). According to yours explanation maybe I should create a PBR that say "all that arrive from LAN to IP 10.10.10.154 send it toward loopback 0". Then loopback 0 "simulate" NAT Outside, my internal host exit with a NAT overload, then I should create another PBR in loopback 0 that say "all that arrive from IP 10.10.10.146 to 10.10.10.154 send it back to LAN FastEthernet 0/1". Routing table see that FastEthernet's IP it's directly connect then send back the packet to Fa0/1. the packet is natted outside->inside, then delivered to the server. The server, however, see that the packet came from an Internal IP and delivery the packet directly to 192.168.100.10 (Internal's IP host). the TCP connection fails, because

our PC expects a reply from 10.10.10.154 and not from 192.168.100.254.

How can I fix this behavior?

Gigi

Re: NAT HAIRPINNING

Hello

I am not sure there is a way..maybe someone else  on this forum could elaborate on how to do this.-

The problem I see is with your request is that the hosts 192.168.100.254 and 192.168.100.10 are on the same subnet so they don't need to go via the router  for connection as traffic will be switched so NAT will not be used.

However if the hosts were on different subnet's and required connection via your router then it would be possible to perform such a NAT action as you have queried .

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Re: NAT HAIRPINNING

Paul,

What I should to rate if no one is able to give me a solution.

New Member

Hi, folks.May be I'm a bit

Hi, folks.

May be I'm a bit late with my answer, but better late than never...

First of all, such a situation is encountered often enough.

Second, while NAT theoretically may be a solution, in practice particular vendor implementations of NAT can be restrictive and fail to support this.

One typical solution is to address the server located in the internal network by FQDN, not by the IP address. Two DNS zones are needed - one external, mapping server.example.org to the publicly known IP, and an internal, mapping the same FQDN to the private IP address of the server.

If this solution seems unacceptable, there is another one, it avoids NAT too, all that you need is to configure TCP/IP stack on the server and the LAN hosts. Do this:

(1) on the server: add public IP address (10.10.10.154 in your case) as a secondary IP address on the server's network interface with the 255.255.255.255 mask (web service or whatever you want on the server should listen on this IP address too)

(2) on LAN computers: add a host route for that public IP address, for example, for Windows hosts use the following command: route add 10.10.10.154 mask 255.255.255.255 192.168.100.254 (you can also use DHCP "static route" option to distribute the route). Or, if there is a L3 switch/router in between the clients and the Internet-facing router, configure that host route on this intermediate switch/router, not on the clients.

New Member

Hi Sergey!Don't worrie about

Hi Sergey!

Don't worrie about your delay, we're always on track anyway! :-)

Thank's for the reply. At the end I solved using DNS zones, even if is not the best networking solution in my opinion, but the important is that works. The solution you give with the secondary IP address is really interesting, definitely i'll try to apply this as optional solution as soon as I meet again this problem to address.

The second solution you proposed may also work too, I should try, (I saw now, I wrong IP in the drawing, but it's clear in the configuration that I pasted). With a static route on the computer I can route the traffic directed to 10.10.10.154, toward the private IP address of the server. In this way the traffic goes directly to the private IP address, but I don't know if it work because the primary request of the 3-way handshake is related to the public IP address, and a reply from the private IP address of the server may cause the fail of the handshake.

Probably a PBR on the router may also solve the problem, but I don't know now how to configure it properly.

Thank's a lot for the intervention!

New Member

Hey Luigi, 

Hey Luigi, 

In case anyone stumbles on this later, and is trying to get their "guest" subnet to be able to use public IPs for internal or DMZ hosts, I have a solution - run both NAT stacks (zoned/old and NVI/new) in tandem. Details here: http://systems-co.blogspot.com/2016/06/cisco-routers-easy-hair-pin-nat-for.html

Thanks!

kyler

9416
Views
20
Helpful
9
Replies
CreatePlease to create content