I’ve never had a need to do NAT hairpinning on a Cisco ISR, as I’d typically have a fancy firewall like an ASA doing the work. However, with this blog now hosted on a NAS inside my home network, I’ve found it necessary to support it. Hairpinning essentially means the internal server is available via the public (global) IP address, even when coming from the private (local) network. I didn’t want to forge DNS entries because it’s a pain to manage, and, well, it’s just wrong.
First, here’s my traditional NAT configuration. Fa0/0 is the public interface connected to the ISP. BVI is the Layer 3 private interface.
interface FastEthernet0/0 ip address dhcp ip nat outside ! interface Vlan1 no ip address bridge-group 1 ! interface BVI1 ip address 192.168.0.1 255.255.255.0 ip nat inside ! ip nat inside source list NATLIST interface FastEthernet0/0 overload ip nat inside source static tcp 192.168.0.100 80 interface FastEthernet0/0 80 ! ip access-list extended NATLIST deny ip any 10.0.0.0 0.255.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 192.168.0.0 0.0.255.255 permit ip any any ! bridge 1 protocol ieee bridge 1 route ip
Now the new config. Pretty simple, but there’s a gotcha: the requirement for no ip redirects on both outside and inside interfaces.
interface FastEthernet0/0 ip address dhcp no ip redirects ip nat enable ! interface BVI1 ip address 192.168.0.1 255.255.255.0 no ip redirects ip nat enable ! ip nat source list NATLIST interface FastEthernet0/0 overload ip nat source static tcp 192.168.0.100 80 interface FastEthernet0/0 80
And here comes the gotcha: performance. After switching to this configuration, my throughput over NAT went from about 90 Mbps to 15 Mbps. Ouch. Saw these numbers both on a 2811 and 1841.
One thought on “NAT Hairpinning on Cisco ISR”
solution 1 not work, please help me