[Cisco] Configureren van NAT hairpinning/NAT reflection

maandag 9 augustus 2021 10:40

Acties:

0 Henk 'm!

Topicstarter

Beste mede tweakers,

Ik zit met volgend probleem waarvoor ik al enige tijd een oplossing aan het zoeken ben.
Ik heb een cpanel server draaien met daarop een aantal websites. Die draait al ettelijke jaren.

Sinds kort stuit ik tegen problemen met het curl commando. Dat moet een antwoord geven voor een aantal websites.
Ik krijg enkel het antwoord "permission denied".

Ik had hiervoor een ticket geopend bij cpanel:

Hello,

Thank you for contacting cPanel Technical Support. My name is Alex.

I see you're experiencing issues curl'ing a website hosted on your own server. In this case, this is evidence of a NAT misconfiguration:

Loopback NAT on this IP address appears to be defective

The website appears to be loading fine from my workstation, though:

I am confident the knowledge shared in the above article will guide you towards solving the issue you have outlined in this request. Would you please review the article and let me know if you have any outstanding questions or concerns?

It’s been a pleasure working with you on this issue, and I hope you are satisfied with the experience!

Thank you,
Alex Jankowiak

Goed OK. Dus ben ik naar een oplossing opzoek gegaan om dit netwerktechnisch op te lossen.
Er draait een Cisco 3845 ISR router (omwille van de vele interfaces die gebruikt worden en de kostprijs van een nieuw toestel moet deze nog even voldoen. Er komt eind dit jaar een fortigate firewall).

Onderstaande is de huidige configuratie:

code:

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco3845
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_auth local
aaa authentication ppp default local
aaa authentication ppp VPDN_AUTH local
aaa authorization exec default local 
!
aaa session-id common
no network-clock-participate slot 1 
no network-clock-participate slot 2 
no ip source-route
no ip gratuitous-arps
ip cef
!
!
ip dhcp excluded-address 10.10.10.1
!
!
no ip bootp server
ip domain name 
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect audit-trail
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 700
ip inspect one-minute low 500
ip inspect one-minute high 1100
ip inspect udp idle-time 200
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 200 block-time 30
ip inspect name firewall icmp
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
login block-for 10 attempts 3 within 10
vpdn enable
vpdn source-ip 195.130.x.x
!
vpdn-group 1
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
!
appfw policy-name http-inspect
  application http
    content-type-verification match-req-rsp action allow alarm
    max-header-length request 1 response 1 action allow alarm
    max-uri-length 60 action reset alarm
    port-misuse default action reset alarm
    request-method rfc get action allow alarm
    audit-trail on
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4270858707
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4270858707
 revocation-check none
 rsakeypair TP-self-signed-4270858707
!
!

archive
 log config
  logging enable
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any SDM-Transactional-1
 match  dscp af21 
 match  dscp af22 
 match  dscp af23 
class-map match-any SDM-Signaling-1
 match  dscp cs3 
 match  dscp af31 
class-map match-any Voice-Traffic
 match ip dscp ef 
class-map match-any SDM-Routing-1
 match  dscp cs6 
class-map match-any SDM-Voice-1
 match  dscp ef 
class-map match-any Voice-Signal
 match ip dscp cs3 
 match ip dscp af31 
class-map match-any Video
 match ip dscp af41 
class-map match-any SDM-Management-1
 match  dscp cs2 
!
!
policy-map Voip
 class Voice-Traffic
  priority 20
 class Voice-Signal
  bandwidth percent 40
 class Video
 class class-default
  shape average 100000000
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 5
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key  address  no-xauth
crypto isakmp key  address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 3600
!
!
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set l2tppjk esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile VPN_S
 set transform-set ESP-AES128-SHA 
!
!
crypto dynamic-map l2tppjk-map 10
 set nat demux
 set transform-set l2tppjk 
!
!
crypto map cisco 10 ipsec-isakmp dynamic l2tppjk-map 
!
!
!
!
interface Tunnel0
 description "VPN S"
 ip unnumbered GigabitEthernet0/0
 tunnel source 195.130.x.x
 tunnel destination x
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN_S
!
interface GigabitEthernet0/0
 description De buitenwereld WAN
 ip address 195.130.x.x 255.255.255.248
 ip access-group 120 in
 ip verify unicast source reachable-via rx allow-default 102
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect autosec_inspect out
 ip virtual-reassembly
 no ip mroute-cache
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
 no mop enabled
 crypto map cisco
!
interface GigabitEthernet0/1
 description "Lokaal LAN"
 ip address 10.10.10.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache flow
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 media-type rj45
 no mop enabled
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface GigabitEthernet0/1/0
 description "reserve"
 no ip address
 ip access-group 120 in
 ip verify unicast source reachable-via rx allow-default 102
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect autosec_inspect out
 ip virtual-reassembly
 no ip mroute-cache
 shutdown
 negotiation auto
 no cdp enable
 no mop enabled
 crypto map cisco
!
interface FastEthernet1/0
 description "Guest network LAN interface"
 ip address 10.10.20.1 255.255.255.0
 ip access-group 110 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache flow
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet1/1
 description "Voice VLAN interface"
 ip address 10.10.30.1 255.255.255.0
 ip access-group 115 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache flow
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 no mop enabled
 service-policy output Voip
!
interface FastEthernet2/0
 description "Customer LAN "
 ip address 10.10.40.1 255.255.255.0
 ip access-group 117 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache flow
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet2/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Virtual-Template1
 description "VPN Verbinding met Iphones"
 ip unnumbered GigabitEthernet0/0
 ip access-group 130 in
 ip nat inside
 ip virtual-reassembly
 load-interval 30
 peer default ip address pool PPTP-Pool
 no keepalive
 ppp encrypt mppe 128
 ppp authentication chap ms-chap ms-chap-v2 VPDN_AUTH
 ppp ipcp dns 10.10.10.80 10.10.10.81
!
interface Vlan1
 no ip address
!
ip local pool PPTP-Pool 10.10.50.30 10.10.50.40
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 195.130.x.x
ip route 10.10.100.0 255.255.255.0 Tunnel0
ip route 192.168.2.0 255.255.255.0 Tunnel0
ip route 192.168.3.0 255.255.255.0 Tunnel0
ip route 192.168.4.0 255.255.255.0 Tunnel0
ip route 192.168.6.0 255.255.255.0 Tunnel0
ip route 192.168.7.0 255.255.255.0 Tunnel0
ip route 192.168.8.0 255.255.255.0 Tunnel0
ip route 192.168.9.0 255.255.255.0 Tunnel0
ip route 192.168.11.0 255.255.255.0 Tunnel0
ip route 192.168.12.0 255.255.255.0 Tunnel0
ip route 192.168.13.0 255.255.255.0 Tunnel0
ip route 192.168.14.0 255.255.255.0 Tunnel0
ip route 192.168.15.0 255.255.255.0 Tunnel0
ip route 192.168.254.0 255.255.255.0 Tunnel0
ip route 193.100.100.0 255.255.255.0 Tunnel0
!
!
no ip http server
no ip http secure-server
ip nat pool NAT-POOL 10.10.10.0 10.10.10.255 netmask 255.255.255.0
ip nat pool NAT-POOL-GUEST 10.10.20.0 10.10.20.255 netmask 255.255.255.0
ip nat pool NAT-POOL-VOICE 10.10.30.0 10.10.30.255 netmask 255.255.255.0
ip nat pool NAT-POOL-CUST 10.10.40.0 10.10.40.255 netmask 255.255.255.0
ip nat pool VPNPHONE-POOL 10.10.50.0 10.10.50.255 netmask 255.255.255.0
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source list 110 interface GigabitEthernet0/0 overload
ip nat inside source list 115 interface GigabitEthernet0/0 overload
ip nat inside source list 117 interface GigabitEthernet0/0 overload
ip nat inside source list 130 interface GigabitEthernet0/0 overload
ip nat inside source static udp 10.10.30.51 5060 interface GigabitEthernet0/0 5060
ip nat inside source static tcp 10.10.10.55 1 195.130.x.x 1 extendable
ip nat inside source static tcp 10.10.10.55 20 195.130.x.x 20 extendable
ip nat inside source static tcp 10.10.10.55 21 195.130.x.x 21 extendable
ip nat inside source static tcp 10.10.10.55 22 195.130.x.x 22 extendable
ip nat inside source static tcp 10.10.10.55 25 195.130.x.x 25 extendable
ip nat inside source static tcp 10.10.10.55 26 195.130.x.x 26 extendable
ip nat inside source static tcp 10.10.10.55 37 195.130.x.x 37 extendable
ip nat inside source static tcp 10.10.10.55 53 195.130.x.x 53 extendable
ip nat inside source static udp 10.10.10.55 53 195.130.x.x 53 extendable
ip nat inside source static tcp 10.10.10.55 80 195.130.x.x 80 extendable
ip nat inside source static tcp 10.10.10.55 110 195.130.x.x 110 extendable
ip nat inside source static tcp 10.10.10.55 143 195.130.x.x 143 extendable
ip nat inside source static tcp 10.10.10.55 443 195.130.x.x 443 extendable
ip nat inside source static tcp 10.10.10.55 465 195.130.x.x 465 extendable
ip nat inside source static tcp 10.10.10.55 587 195.130.x.x 587 extendable
ip nat inside source static tcp 10.10.10.55 993 195.130.x.x 993 extendable
ip nat inside source static tcp 10.10.10.55 995 195.130.x.x 995 extendable
ip nat inside source static tcp 10.10.10.55 2077 195.130.x.x 2077 extendable
ip nat inside source static tcp 10.10.10.55 2078 195.130.x.x 2078 extendable
ip nat inside source static tcp 10.10.10.55 2079 195.130.x.x 2079 extendable
ip nat inside source static tcp 10.10.10.55 2080 195.130.x.x 2080 extendable
ip nat inside source static tcp 10.10.10.55 2082 195.130.x.x 2082 extendable
ip nat inside source static tcp 10.10.10.55 2083 195.130.x.x 2083 extendable
ip nat inside source static tcp 10.10.10.55 2086 195.130.x.x 2086 extendable
ip nat inside source static tcp 10.10.10.55 2087 195.130.x.x 2087 extendable
ip nat inside source static tcp 10.10.10.55 2095 195.130.x.x 2095 extendable
ip nat inside source static tcp 10.10.10.55 2096 195.130.x.x 2096 extendable
ip nat inside source static tcp 10.10.10.55 3306 195.130.x.x 3306 extendable
ip nat inside source static tcp 10.10.10.50 80 195.130.x.x 80 extendable
ip nat inside source static tcp 10.10.10.50 443 195.130.x.x 443 extendable
ip nat inside source static tcp 10.10.10.80 25 195.130.x.x 25 extendable
ip nat inside source static tcp 10.10.10.80 80 195.130.x.x 80 extendable
ip nat inside source static tcp 10.10.10.80 110 195.130.x.x 110 extendable
ip nat inside source static tcp 10.10.10.80 443 195.130.x.x 443 extendable
ip nat inside source static tcp 10.10.10.30 3128 195.130.x.x 3128 extendable
!
ip access-list extended autosec_firewall_acl
 permit udp any any eq bootpc
 deny   ip any any
!
logging trap debugging
logging facility local2
access-list 1 permit any
access-list 100 permit tcp 10.10.10.0 0.0.0.255 any
access-list 100 permit udp any any range bootps bootpc
access-list 100 permit udp 10.10.10.0 0.0.0.255 any
access-list 100 permit icmp 10.10.10.0 0.0.0.255 any
access-list 100 permit esp 10.10.10.0 0.0.0.255 any
access-list 100 permit pim 10.10.10.0 0.0.0.255 any
access-list 100 deny   ip 192.168.168.0 0.0.0.255 any
access-list 100 deny   ip any any
access-list 101 permit ip 192.168.168.0 0.0.0.255 any
access-list 102 permit udp any any eq bootpc
access-list 110 deny   ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 110 permit udp any any range bootps bootpc
access-list 110 deny   ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 110 permit icmp 10.10.20.0 0.0.0.255 any
access-list 110 permit tcp 10.10.20.0 0.0.0.255 any
access-list 110 permit udp 10.10.20.0 0.0.0.255 any
access-list 110 permit esp 10.10.20.0 0.0.0.255 any
access-list 110 deny   ip any any
access-list 115 permit tcp 10.10.30.0 0.0.0.255 any
access-list 115 permit udp any any range bootps bootpc
access-list 115 permit udp 10.10.30.0 0.0.0.255 any
access-list 115 permit esp 10.10.30.0 0.0.0.255 any
access-list 115 permit icmp 10.10.30.0 0.0.0.255 any
access-list 115 deny   ip any any
access-list 117 deny   ip 10.10.10.0 0.0.0.255 10.10.40.0 0.0.0.255
access-list 117 deny   ip 10.10.40.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 117 permit udp any any range bootps bootpc
access-list 117 permit tcp 10.10.40.0 0.0.0.255 any
access-list 117 permit udp 10.10.40.0 0.0.0.255 any
access-list 117 permit esp 10.10.40.0 0.0.0.255 any
access-list 117 permit icmp 10.10.40.0 0.0.0.255 any
access-list 117 deny   ip any any
access-list 120 permit tcp 84.197.75.0 0.0.0.255 host 195.130.157.148 eq pop3
access-list 120 permit tcp any host 195.130.x.x eq www
access-list 120 permit tcp any host 195.130.x.x eq 1
access-list 120 permit tcp any host 195.130.x.x eq ftp-data
...
access-list 130 permit tcp 10.10.50.0 0.0.0.255 any
access-list 130 permit udp 10.10.50.0 0.0.0.255 any
access-list 130 permit icmp 10.10.50.0 0.0.0.255 any
access-list 130 permit esp 10.10.50.0 0.0.0.255 any
access-list 130 permit gre 10.10.50.0 0.0.0.255 any
access-list 130 deny   ip any any
no cdp run
!
!
!
control-plane
!
bridge 1 protocol ieee
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!

Authorized access only!

banner motd 
======================================================
Alleen voor bevoegd personeel! Niet bevoegd? Oprotten!
======================================================

!
line con 0
 exec-timeout 5 0
 login authentication local_auth
 transport output telnet
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 privilege level 15
 password 7 02050D4808090E25414707
 login authentication local_auth
 transport input telnet ssh
line vty 5 15
 login authentication local_auth
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Een oplossing bestaat uit Nat Virtual Interface. Dan kan ik aan NAT loopback doen en werkt alles wel. Alleen is dit zoals overal te lezen is zwaar belastend voor de CPU van de router en nefast voor de snelheid. (dan behoud ik van de huidige snelheid 1/3de.

code:

ip nat source list 100 interface GigabitEthernet0/0 overload
ip nat source list 110 interface GigabitEthernet0/0 overload
ip nat source list 115 interface GigabitEthernet0/0 overload
ip nat source list 117 interface GigabitEthernet0/0 overload
ip nat source list 130 interface GigabitEthernet0/0 overload

ip nat source static udp 10.10.30.51 5060 interface GigabitEthernet0/0 5060
ip nat source static tcp 10.10.10.55 1 195.130.x.x 1 extendable
ip nat source static tcp 10.10.10.55 20 195.130.x.x 20 extendable
ip nat source static tcp 10.10.10.55 21 195.130.x.x 21 extendable
ip nat source static tcp 10.10.10.55 22 195.130.x.x 22 extendable
ip nat source static tcp 10.10.10.55 25 195.130.x.x 25 extendable
ip nat source static tcp 10.10.10.55 26 195.130.x.x 26 extendable
ip nat source static tcp 10.10.10.55 37 195.130.x.x 37 extendable
ip nat source static tcp 10.10.10.55 53 195.130.x.x 53 extendable
ip nat source static udp 10.10.10.55 53 195.130.x.x 53 extendable
ip nat source static tcp 10.10.10.55 80 195.130.x.x 80 extendable
...
interface GigabitEthernet0/0
ip nat enable
no ip redirects
interface GigabitEthernet0/1
ip nat enable
no ip redirects
interface FastEthernet1/0
ip nat enable
no ip redirects
interface FastEthernet1/1
ip nat enable
no ip redirects
interface FastEthernet2/0
ip nat enable
no ip redirects
interface Virtual-Template1
ip nat enable
no ip redirects

Er zijn nog andere oplossingen mogelijk via een loopback interface (heb ik gelezen). Alleen begrijp ik niet goed de opzet daarvan. Moet er dan gewerkt worden met policy maps voor elk nat statement of hoe gaat dit juist in zijn werk?
Kan iemand van jullie mij even assisteren om voor NAT loopback:hairpinning/NAt reflection/... tot een oplossing te komen die minder belastend is voor de router?

Dat mag eventueel met extra uitleg... ik leer graag bij.

maandag 9 augustus 2021 10:48

Acties:

0 Henk 'm!

Ghostface9000

Je hebt het probleem met dat curl commando enkel op de lan ? Niet als je extern verbinding maakt ?

Ik lees dat deze cisco router inderdaad geen nat loopback functionaliteit heeft.

Heb je een eigen dns server draaien intern ? Je zou een a record kunnen maken die verwijst naar het lokale ip van de server om dit zo op te lossen.

[ Voor 4% gewijzigd door Ghostface9000 op 09-08-2021 10:48 ]

maandag 9 augustus 2021 11:32

Acties:

0 Henk 'm!

Pieter Kimpen

Topicstarter

Hoi Ghostface9000,

Dank voor de snelle reactie.

Ik krijg volgende fout:

curl www.m.....be
curl: (7) Failed connect to www.m....be:80; Connection refused
[root@ares ~]#

Ik heb eigen DNS servers draaien. Daarin zitten voor iedere website de nodige A records. Dat is dus al in orde.

GVD.... ik heb de DNS nog eens nagekeken. Dat domein stond er inderdaad nog niet tussen (er staan meer dan 7800 zones op die servers...)

[root@ares ~]# curl www.....be
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://www.m....be/">here</a>.</p>
</body></html>
[root@ares ~]#

Nu lukt het zonder problemen.
Dat lost natuurlijk mijn origineel vraagstuk nog niet op (maar ik ben wel al heel blij met deze snelle reactie en oplossing).
De laatste maanden waren voor mij zeer vermoeiende maanden... Dan vergeet je zaken.

Ik laat het topic nog open. Ik ga graag na of er nog andere oplossingen zijn voor de originele NAT hairpinning/reflection vraag.

Heel erg bedankt allen!

maandag 9 augustus 2021 19:33

Acties:

0 Henk 'm!

nl0pat

Edit: never mind deze suggestie was al gegeven..

[ Voor 85% gewijzigd door nl0pat op 09-08-2021 19:35 ]

Vraag

Alle reacties