CISCO 1941 Router - Hairpinning and Routing VPN internet traffic through router

Michael Cheng · ‎07-25-2016

Hi,

I'm new to CISCO and have read up a lot on forums and tutorials with regards to setting up a new CISCO 1941 router.

However, I have two issues that are still unresolved:

1) Hairpinning (allowing our mail server 192.168.1.200 to be accessed while clinets are on the internal network 192.168.1.0 using its domain name pop.company.com). Access to pop.company.com works when clients are NOT on the company's network and MX record with public DNS resolves pop.company.com to IP1.IP1.IP1.IP1.

2) Routing VPN internet traffic through gateway GW1.GW1.GW1.GW1 when clients are connected via VPN to the router. Clients connected via VPN can access LAN services, e.g. printer, file servers, etc, however cannot access the internet via GW1.GW1.GW1.GW1.

Any help would be much appreciated!!

There are the network parameters:

Name server 1: NS1.NS1.NS1.NS1

Name server 2: NS2.NS2.NS2.NS2

Public IP address: IP1.IP1.IP1.IP1

Public IP address subnet: SN1.SN1.SN1.SN1

Public IP address gateway: GW1.GW1.GW1.GW1

Router LAN Address: 192.168.1.1

Mail server LAN Address: 192.168.1.200

Internal LAN: 192.168.1.0/24

VPN LAN: 192.168.2.100 to 192.168.2.200

Below is my config:

aaa authentication login default local

aaa authentication login VPNCompany local

aaa authorization exec default local

aaa authorization network CompanyVPN local

!

ip dhcp excluded-address 192.168.1.1

!

ip dhcp pool CompanyLAN-Pool

network 192.168.1.0 255.255.255.0

dns-server NS1.NS1.NS1.NS1 NS2.NS2.NS2.NS2

default-router 192.168.1.1

!

ip domain name Company.local

ip name-server NS1.NS1.NS1.NS1

ip name-server NS2.NS2.NS2.NS2

ip cef

no ipv6 cef

!

ip ssh version 2

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

!

crypto isakmp client configuration group CompanyVPN

key Compnay

dns NS1.NS1.NS1.NS1

domain Company.local

pool VPNPool

max-users 10

netmask 255.255.255.0

crypto isakmp profile ISAKMPPROFILE

match identity group CompanyVPN

client authentication list VPNCompany

isakmp authorization list CompanyVPN

client configuration address respond

virtual-template 1

!

crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac

mode tunnel

!

crypto ipsec profile CompanyVPN

set transform-set TRANSFORMSET

set isakmp-profile ISAKMPPROFILE

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Main Router

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description PrimaryWANDesc_PrimaryWAN

ip address IP1.IP1.IP1.IP1 SN1.SN1.SN1.SN1

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile FabAccVPN

!

ip local pool VPNPool 192.168.2.100 192.168.2.200

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload

ip nat inside source static tcp 192.168.1.200 465 interface GigabitEthernet0/1 465

ip nat inside source static tcp 192.168.1.200 995 interface GigabitEthernet0/1 995

ip nat inside source static tcp 192.168.1.200 25 interface GigabitEthernet0/1 25

ip nat inside source static tcp 192.168.1.200 993 interface GigabitEthernet0/1 993

ip route 0.0.0.0 0.0.0.0 GW1.GW1.GW1.GW1

!

access-list 1 permit any

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

transport input ssh

!

end

Terence Payet · ‎08-11-2016

Hi Michael,

You can use NVI to solve all your issues. See below config:

!

interface GigabitEthernet0/0

description Main Router

ip address 192.168.1.1 255.255.255.0

no ip nat inside

ip nat enable

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description PrimaryWANDesc_PrimaryWAN

ip address IP1.IP1.IP1.IP1 SN1.SN1.SN1.SN1

no ip nat inside

ip nat enable

ip virtual-reassembly in

duplex auto

speed auto

!

no ip nat inside source list 1 interface GigabitEthernet0/1 overload

no ip nat inside source static tcp 192.168.1.200 465 interface GigabitEthernet0/1 465

no ip nat inside source static tcp 192.168.1.200 995 interface GigabitEthernet0/1 995

no ip nat inside source static tcp 192.168.1.200 25 interface GigabitEthernet0/1 25

no ip nat inside source static tcp 192.168.1.200 993 interface GigabitEthernet0/1 993

ip nat source list 1 interface GigabitEthernet0/1 overload

ip nat source static tcp 192.168.1.200 465 interface GigabitEthernet0/1 465

ip nat source static tcp 192.168.1.200 995 interface GigabitEthernet0/1 995

ip nat source static tcp 192.168.1.200 25 interface GigabitEthernet0/1 25

ip nat source static tcp 192.168.1.200 993 interface GigabitEthernet0/1 993

HTH.

Regards,

Terence

Michael Cheng · ‎08-11-2016

Hi Terence,

Thank you for the advice.

When I made the above changes, the computers/devices on the LAN could not resolve domain names with the DNS to a website.

On the router, I could ping IP addesses and domain names.

However, on the computers/devices, I could only ping IP addresses. Domain names will not resolve.

Am I missing some other configuration for your changes to work?

FYI, I don't run an internal DNS server, but uses a public DNS (NS1.NS1.NS1.NS1) provided by my service provider.

Best regards,
Michael

On the Router:
Company#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/20 ms
Company#ping bing.com
Translating "bing.com"...domain server (NS1.NS1.NS1.NS1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.79.197.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/26/32 ms

On a computer:
C:\Users\User>ping bing.com
Ping request could not find host bing.com. Please check the name and try again.
C:\Users\User>ping 204.79.197.200
Pinging 204.79.197.200 with 32 bytes of data:
Reply from 204.79.197.200: bytes=32 time=21ms TTL=116
Reply from 204.79.197.200: bytes=32 time=26ms TTL=116
Reply from 204.79.197.200: bytes=32 time=28ms TTL=116
Reply from 204.79.197.200: bytes=32 time=37ms TTL=116
Ping statistics for 204.79.197.200:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 21ms, Maximum = 37ms, Average = 28ms

Terence Payet · ‎08-11-2016

Hi Michael,

Can you ping NS1.NS1.NS1.NS1 & NS2.NS2.NS2.NS2 from LAN.

Regards,

Terence

Michael Cheng · ‎08-12-2016

Hi Terence,

I can ping NS1.NS1.NS1.NS1 and NS2.NS2.NS2.NS2 from LAN.

On LAN, any site in IP address format will work, just not when it's in domain name format.

IP address and domain name formats work on the Router ok. I did a Trace IP on the Router using domain name, the name resolved to an IP and it's showing the traffic being directed via service provider provided gateway GW1.GW1.GW1.GW1.

Best regards,
Michael

One the Router:
Company#ping yahoo.com
Translating "yahoo.com"...domain server (NS1.NS1.NS1.NS1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 206.190.36.45, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/132/184 ms
Company#trace ip yahoo.com
Type escape sequence to abort.
Tracing the route to yahoo.com (206.190.36.45)
VRF info: (vrf in name/id, vrf out name/id)
1 rrcs-GW1-GW1-GW1-GW1.nyc.biz.rr.com (GW1.GW1.GW1.GW1) 8 msec 12 msec 4 msec
2 * * *
3 tge-0-7-0-5.nycmnya-rtr2.nyc.rr.com (68.173.207.77) 64 msec 32 msec 28 msec
4 agg112.nyquny9101r.nyc.rr.com (68.173.198.18) 28 msec 20 msec 24 msec
5 bu-ether15.nycmny837aw-bcr00.tbone.rr.com (66.109.6.76) 32 msec 36 msec 28 msec
6 205.197.232.13 28 msec 16 msec 24 msec
7 207.88.14.150.ptr.us.xo.net (207.88.14.150) 112 msec 100 msec 100 msec
8 207.88.12.168.ptr.us.xo.net (207.88.12.168) 96 msec 104 msec 96 msec
9 207.88.12.165.ptr.us.xo.net (207.88.12.165) 112 msec 92 msec 100 msec
10 207.88.12.188.ptr.us.xo.net (207.88.12.188) 112 msec 96 msec 112 msec
11 207.88.12.191.ptr.us.xo.net (207.88.12.191) 132 msec 108 msec 100 msec
12 ae1.rcb1.saltlake2-ut.us.xo.net (207.88.12.145) 108 msec 100 msec 100 msec
13 207.88.12.76.ptr.us.xo.net (207.88.12.76) 108 msec 100 msec 100 msec
14 207.88.13.88.ptr.us.xo.net (207.88.13.88) 100 msec 100 msec 100 msec
15 64.3.225.22.ptr.us.xo.net (64.3.225.22) 112 msec 100 msec 100 msec
16 ae-7.pat1.gqb.yahoo.com (216.115.96.45) 108 msec 104 msec
ae-5.pat1.gqb.yahoo.com (216.115.101.111) 112 msec
17 et-18-1-0.msr1.gq1.yahoo.com (66.196.67.103) 112 msec
et-0-0-0.msr1.gq1.yahoo.com (66.196.67.97) 112 msec 116 msec
18 et-19-1-0.clr2-a-gdc.gq1.yahoo.com (67.195.37.99) 96 msec
et-0-0-0.clr2-a-gdc.gq1.yahoo.com (67.195.37.73) 96 msec
et-19-1-0.clr1-a-gdc.gq1.yahoo.com (67.195.37.95) 120 msec
19 et-18-1.fab3-1-gdc.gq1.yahoo.com (67.195.1.81) 100 msec
et-18-1.fab2-1-gdc.gq1.yahoo.com (67.195.1.77) 112 msec
et-18-1.fab4-1-gdc.gq1.yahoo.com (67.195.1.85) 112 msec
20 po-12.bas1-7-prd.gq1.yahoo.com (206.190.32.19) 104 msec
po-14.bas1-7-prd.gq1.yahoo.com (206.190.32.23) 116 msec
po-9.bas1-7-prd.gq1.yahoo.com (206.190.32.13) 104 msec
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Company#

On the Computer:
C:\Users\User>ping NS1.NS1.NS1.NS1
Pinging NS1.NS1.NS1.NS1 with 32 bytes of data:
Reply from NS1.NS1.NS1.NS1: bytes=32 time=13ms TTL=57
Reply from NS1.NS1.NS1.NS1: bytes=32 time=31ms TTL=57
Reply from NS1.NS1.NS1.NS1: bytes=32 time=23ms TTL=57
Reply from NS1.NS1.NS1.NS1: bytes=32 time=25ms TTL=57
Ping statistics for NS1.NS1.NS1.NS1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 13ms, Maximum = 31ms, Average = 23ms
C:\Users\User>ping yahoo.com
Ping request could not find host yahoo.com. Please check the name and try again.
C:\Users\User>tracert yahoo.com
Unable to resolve target system name yahoo.com.
C:\Users\User>ping 206.190.36.45
Pinging 206.190.36.45 with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=106ms TTL=43
Reply from 206.190.36.45: bytes=32 time=114ms TTL=43
Reply from 206.190.36.45: bytes=32 time=106ms TTL=43
Reply from 206.190.36.45: bytes=32 time=106ms TTL=43
Ping statistics for 206.190.36.45:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 106ms, Maximum = 114ms, Average = 108ms

Michael Cheng · ‎08-12-2016

I did a NSLookup on the LAN with both configurations:

IP Nat Inside/Outside (my original)
C:\Users\User>nslookup yahoo.com
Server: nycmny-dns-comm-cac-01.rdc-nyc.rr.com
Address: NS1.NS1.NS1.NS1
Non-authoritative answer:
Name: yahoo.com
Addresses: 2001:4998:44:204::a7
2001:4998:58:c02::a9
2001:4998:c:a06::2:4008
98.138.253.109
98.139.183.24
206.190.36.45

IP Nat Enable (your suggestion)
C:\Users\User>nslookup yahoo.com
Server: nycmny-dns-comm-cac-01.rdc-nyc.rr.com
Address: NS1.NS1.NS1.NS1
DNS request timed out.
timeout was 2 seconds.
Name: yahoo.com
Addresses: 2001:4998:58:c02::a9
2001:4998:c:a06::2:4008
2001:4998:44:204::a7

Without the Nat Inside/Outside, the DNS does not seem to resolve LAN domain name lookup.

thanks again for your time looking into this.

Best regards,
Michael