Ran into a term today that I don’t see being used too often but I think its something one should be familiar with as its used out there in the field. Doing a Google search surprisingly didn’t yield me any good explanations. So let’s clear up this confusion with this post!
We all know regular NAT right? You translate a single IP or range of IPs into another single IP or range of IPs. Nothing crazy there. But what if we want to access the an internal resource using a public IP? Could NAT do this for us?
Short answer is YES! There’s a few names for this but the common ones are NAT Reflection, NAT Loopback, NAT Hairpinning or NAT-on-a-Stick.
As you can see from the links below, different vendor call this technique by different names, but the concept is the same.
http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6505-nat-on-stick.html
http://kb.juniper.net/InfoCenter/index?page=content&id=KB24639
http://wiki.mikrotik.com/wiki/Hairpin_NAT
One way to make this work is by using some DNS tricks called Split-DNS or DNS Forwarder. In our case though, we’ll be using the NAT Reflection technique. Lets take a look at the example below…
So we got a firewall with our 3 security levels. Lets call 192.168.1.1 Server A, and 172.16.1.1 Server B. Also, our company has a public IP block of 8.8.8.0/24.
Great, so let’s say we want to access the server in the DMZ interface (server B) via the public IP of 8.8.8.10/24. Our ServerB goes out to the internet with a public IP of 8.8.8.10 but for whatever reason the software we’re running wants also Server A (192.168.1.1) to access Server B via the PUBLIC IP, not its actual IP of 172.16.1.1.
Normally, we can do basic NAT and ACL rules on the firewall to allow Server A to talk to Server B. But the only issue with that is that we’ll be using the actual IPs of the devices, not the public IP. Thus, regular NAT won’t do the trick here but NAT Reflection to make this happen!
We’ll have the firewall say “if I get traffic for 8.8.8.10 off my inside interface, instead of sending it out to the internet, send it towards Server B.”
You’ll have to make the following changes to the firewall like so (inside_access will be applied to our inside interface)…
static (dmz,inside) 8.8.8.10 172.16.1.1
access-list inside_access line 1 permit ip host 192.168.1.1 host 8.8.8.10
Once we have that in, when Server A goes to 8.8.8.10, NAT will kick in to forward towards 172.16.1.1. Note depending on your design you might need to allow traffic back (bi-directional).
Hope that helps clarifying what NAT Reflection does!
William Zambrano
NYC networkers is run by William Zambrano, a passionate network engineer who has been in the IT industry for eight years who posts up blog articles, YouTube videos, and holds meetup.com events in the NYC area. He lives in Queens, New York and has consulted in various different companies in the NY area. Previously William worked as a Cisco Certified Systems Instructor (CCSI) but now currently works for Arista Networks serving as a Systems Engineer. William can be reached by email at willzambrano@gmail.com
Follow Me:
apparently you made a mistake here
you wrote ” There’s a few names for this but the common ones are NAT Reflection, NAT Loopback, NAT Hairpinning or NAT-on-a-Stick.”
In fact,
NAT-on-a-stick is the same as “one-armed NAT”, which is a different concept from what we’re talking about here
Ralph, you are right — One armed NAT is doing NAT off of 1 physical interface (along with a loopback), where in my example I am using two physical interfaces. The reason I brought up this term was because the Cisco KB example uses a physical and loopback interface in order to preform the NAT so it would be helpful for people who aren’t familiar with this technique to see it in a similar example. Didn’t mean to confuse anyone!
Hello, excellent post.
I have an ASA 9.1 and I need to configure nat reflection in this scenario:
– I have only two interface: inside and outside, how can I configure nat reflection in this scenario?
Thanks
Ronald, whats the use case? Theres really no need for NAT reflection if you have only 2 interfaces.
Ronald, whats the use case? Theres really no need for NAT reflection if you have only 2 interfaces.
I have this hairpin issue where all the computer inside my private network can’t access my web server. I’m able to access from the outside but no from the inside. the computers and the web server are in the same network. I need a solution to be able to get to my web server from the inside using the internet name. Does anyone has a solution for this issue?
HI team
i have found a lot of useful information in this post.
But i still have a doubt, i didn’t understand if Cisco ISRG2 do support NAT reflection, i am asking since i have always find NAT reflection linked to ASA.
Could you please help me here?
Thanks