Courseiva
NATCCNA 200-301

NAT Hairpin Issue — Internal Clients Cannot Reach Public IP

Presenting Symptom

Internal clients cannot reach a public web server when using its public IP address, but they can reach it using the private IP address.

Network Context

A small branch office with a Cisco 4321 ISR router running IOS XE 16.9. The router performs NAT overload (PAT) for internal hosts (192.168.1.0/24) to access the internet. A web server (192.168.1.10) is hosted internally and also has a public IP (203.0.113.10) mapped via static NAT. Internal clients can access the server via private IP but fail when using the public IP.

Diagnostic Steps

1

Verify NAT configuration

show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 203.0.113.10       192.168.1.10       ---                ---

Check if static NAT entry exists. If missing, NAT is not configured. If present, the translation is set up correctly.

2

Check if hairpinning is enabled

show running-config | include ip nat inside source
ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80 extendable

Look for the 'extendable' keyword. Without it, NAT hairpinning may not work. Also check for 'ip nat enable' on interfaces.

3

Verify interface NAT participation

show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic, 0 extended)
Outside interfaces: GigabitEthernet0/0/0
Inside interfaces: GigabitEthernet0/0/1
Hits: 0  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 100 pool mypool refcount 0
 pool mypool: netmask 255.255.255.0
   start 203.0.113.20 end 203.0.113.30
   type generic, total addresses 11, allocated 0 (0%), misses 0

Ensure both inside and outside interfaces are correctly identified. If hits are zero when clients try to access the public IP, traffic may not be hitting NAT.

4

Enable debug to see NAT process

debug ip nat detailed
NAT: s=192.168.1.100->203.0.113.20, d=203.0.113.10 [0]
NAT: s=203.0.113.20, d=203.0.113.10->192.168.1.10 [0]

Look for translation of source and destination. If no debug output appears when client tries to access public IP, traffic is not being processed by NAT. If translation occurs but no reply, issue may be routing or ACL.

Root Cause

NAT hairpinning is not enabled. By default, Cisco IOS does not allow traffic entering and leaving the same interface (inside) to be translated. The router sees the packet sourced from an inside interface destined to a public IP that maps to an inside host, but without the 'ip nat enable' command on the inside interface or the 'extendable' keyword on the static NAT, the router drops the packet or does not perform NAT.

Resolution

Enable NAT hairpinning by configuring 'ip nat enable' on the inside interface and ensuring the static NAT has the 'extendable' keyword. 1. Enter global configuration mode: configure terminal 2. Enable NAT on the inside interface: interface GigabitEthernet0/0/1 ip nat enable exit 3. Modify the static NAT to include 'extendable': no ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80 ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 80 extendable 4. Save configuration: write memory

Verification

1. From an internal client, access http://203.0.113.10. It should now load the web server. 2. Run 'show ip nat translations' to see the dynamic translation created for the client: Pro Inside global Inside local Outside local Outside global tcp 203.0.113.10:80 192.168.1.10:80 192.168.1.100:12345 192.168.1.100:12345 tcp 203.0.113.20:12345 192.168.1.100:12345 203.0.113.10:80 192.168.1.10:80 3. Verify hits increment in 'show ip nat statistics'.

Prevention

1. Always include the 'extendable' keyword when configuring static NAT for internal servers that need to be accessed via public IP from inside the network. 2. Use 'ip nat enable' on interfaces where hairpinning is required, rather than relying solely on 'ip nat inside/outside'. 3. Test internal access to public IPs during initial deployment to catch hairpinning issues early.

CCNA Exam Relevance

On the CCNA 200-301 exam, NAT hairpinning may appear in troubleshooting scenarios where internal users cannot access a server using its public IP. The exam tests understanding of NAT operation and the need for hairpinning. Questions may be multiple-choice or drag-and-drop, asking which command enables hairpinning or why internal access fails.

Exam Tips

1.

Remember that 'ip nat enable' on the inside interface is required for hairpinning, not just 'ip nat inside'.

2.

The 'extendable' keyword allows multiple translations for the same inside local address, which is necessary for hairpinning.

3.

If a debug shows no NAT activity, check interface NAT participation first.

Commands Used in This Scenario

debug ip nat

Use debug ip nat to monitor and troubleshoot NAT translations in real time on a Cisco router, displaying each packet's translation details as they occur.

show ip nat statistics

Displays statistics about NAT translations, including active translations, hit counts, and configuration parameters, used to verify NAT operation and troubleshoot translation issues.

show ip nat translations

Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions