Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2350
Views
0
Helpful
3
Replies

NAT inside-to-inside (hairpinning) with NVI on 887VA problem

Go to solution
slawomir.kunach
Level 1
Level 1

‎11-26-2011 12:43 PM - edited ‎03-04-2019 02:25 PM

Hi guys,

I'm trying to configure hairpinning on my Cisco 887VA VDSL router, so all LAN users can connect to the server using SMTP port 25 which is also in the same LAN subnet, using external router address, which is assigned to dialer1 interface.

Traffic comming in from outside works fine.

External IP: 1.1.1.1/29

PC address connecting to the server: 192.168.101.28

Server address: 192.168.101.200

IOS: 15.1.4M1

my config:

!

! Last configuration change at 20:25:23 UTC Sat Nov 26 2011

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router

!

boot-start-marker

boot system flash c880data-universalk9-mz.151-4.M1.bin

boot-end-marker

!

!

enable secret xxxxxxxxx

!

aaa new-model

!

!

!

!

!

aaa session-id common

memory-size iomem 10

crypto pki token default removal timeout 0

!

no ip source-route

!

!

!

!

ip dhcp pool LAN

network 192.168.101.0 255.255.255.0

dns-server 90.90.90.90 91.91.91.91

domain-name domain.com

default-router 192.168.101.1

!

!

ip cef

ip domain name domain.com

no ipv6 cef

!

!

!

username admin privilege 15 secret 5 xxxxxxx

!

!

!

!

controller VDSL 0

!

!

!

!

!

!

!

!

interface Ethernet0

no ip address

!

interface Ethernet0.101

description PPPoE bridging from controller VDSL to dialer 1

encapsulation dot1Q 101

ip nat enable

pppoe-client dial-pool-number 1

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Vlan1

ip address 192.168.101.1 255.255.255.0

ip nat enable

ip tcp adjust-mss 1452

!

interface Dialer1

mtu 1492

ip address 1.1.1.1 255.255.255.248

no ip redirects

no ip unreachables

ip nat enable

encapsulation ppp

load-interval 30

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname xxxxxx

ppp chap password 0 xxxxxx

ppp direction callout

ppp ipcp header-compression ack

ppp ipcp dns request accept

ppp ipcp address accept

no cdp enable

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat pool WAN 1.1.1.1 1.1.1.1 prefix-length 29 add-route

ip nat source list 1 pool WAN overload

ip nat source static tcp 192.168.101.200 25 1.1.1.1 25 extendable

ip route 0.0.0.0 0.0.0.0 Dialer1

!

access-list 1 permit 192.168.101.0 0.0.0.255

dialer-list 1 protocol ip permit

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

!

end

So as I already said, traffic coming from outside to 1.1.1.1:25 goes through fine, but LAN users are unable to connect to 1.1.1.1:25

debug ip nat

*Nov 26 19:31:11.278: NAT: s=192.168.101.28->1.1.1.1, d=1.1.1.1 [22404]

*Nov 26 19:31:11.278: NAT: s=1.1.1.1, d=1.1.1.1->192.168.101.200 [22404]

debug ip packet

*Nov 26 19:31:40.622: IP: s=192.168.101.28 (Vlan1), d=1.1.1.1, len 52, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Nov 26 19:31:40.622: IP: s=192.168.101.28 (Vlan1), d=1.1.1.1, len 52, input feature, MCI Check(67), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Nov 26 19:31:40.622: IP: s=192.168.101.28 (Vlan1), d=1.1.1.1, len 52, input feature, TCP Adjust MSS(69), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Nov 26 19:31:40.622: IP: tableid=0, s=192.168.101.28 (Vlan1), d=1.1.1.1 (Dialer1), routed via RIB

*Nov 26 19:31:40.622: NAT: s=192.168.101.28->1.1.1.1, d=1.1.1.1[22453]

*Nov 26 19:31:40.622: NAT: s=1.1.1.1, d=1.1.1.1->192.168.101.200 [22453]

*Nov 26 19:31:40.622: IP: s=1.1.1.1 (Vlan1), d=192.168.101.200 (Vlan1), len 52, output feature, Post-routing NAT NVI Output(20), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Nov 26 19:31:40.622: IP: Output changed by feature=20: Dialer1 -> Vlan1

*Nov 26 19:31:40.622: IP: s=1.1.1.1 (Vlan1), d=192.168.101.200 (Vlan1), len 52, rcvd local pkt

sh ip route

S*    0.0.0.0/0 is directly connected, Dialer1

      82.0.0.0/32 is subnetted, 1 subnets

C        82.153.1.65 is directly connected, Dialer1

      192.168.101.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.101.0/24 is directly connected, Vlan1

L        192.168.101.1/32 is directly connected, Vlan1

      1.1.1.1.0/24 is variably subnetted, 2 subnets, 2 masks

C        1.1.1.0/29 is directly connected, Dialer1

L        1.1.1.1/32 is directly connected, Dialer1

I'm running tcpdump on the server on port 25 and... nothing happens. The traffic is not going through.

One thing that I've notices in debug ip packet is this line:

s=1.1.1.1 (Vlan1), d=192.168.101.200 (Vlan1), len 52, rcvd local pkt

shouldn't source be internal vlan1 IP - 192.168.101.1?

I'll appriciate any help or suggestions.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎11-26-2011 02:50 PM

Hello Slawomir,

I have encountered connectivity issues with the NVI NAT configuration if the addresses I translated into were actually located in the directly connected networks of the router. What helped, after a tedious search, was to configure no ip redirects on the egress ('outside'-alike) interfaces. There are some strange interactions with the ICMP redirect mechanism and I stumbled across this workaround.

Perhaps this will help you as well - would you mind adding the no ip redirects command to all your IP-enabled interfaces, i.e. E0.101, Vlan1 and Dialer1? Even if it turns out to not solve your issue, it should not do any harm (basically, this command stops sending the ICMP Redirect messages and should allow the router to hairpin any streams).

Best regards,

Peter

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎11-26-2011 02:50 PM

Hello Slawomir,

I have encountered connectivity issues with the NVI NAT configuration if the addresses I translated into were actually located in the directly connected networks of the router. What helped, after a tedious search, was to configure no ip redirects on the egress ('outside'-alike) interfaces. There are some strange interactions with the ICMP redirect mechanism and I stumbled across this workaround.

Perhaps this will help you as well - would you mind adding the no ip redirects command to all your IP-enabled interfaces, i.e. E0.101, Vlan1 and Dialer1? Even if it turns out to not solve your issue, it should not do any harm (basically, this command stops sending the ICMP Redirect messages and should allow the router to hairpin any streams).

Best regards,

Peter

0 Helpful

Go to solution
slawomir.kunach
Level 1
Level 1
In response to Peter Paluch

‎11-27-2011 01:33 PM

I've tried that and... yes, you were right about no ip redirects.

I would never suspect that this could cause the problem.

Thank you very much for your time and help Peter.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to slawomir.kunach

‎11-27-2011 02:01 PM

Hello Slawomir,

Thank you very much for letting me know. It seems that with NVI style of NAT configuration, it is advisable to deactivate IP ICMP redirects. Thank you for confirming that for me.

Best regards,

Peter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card