In this article, you’ll learn how to setup NAT loopback, also knowns as hairpin NAT.
In order to setup NAT loopback, you will need:
NAT loopback, also known as Hairpin NAT, is a technique that allows users on the internal network to access a server on the same network using its public IP address.
This can be useful in situations where the server is configured to use a public IP address, and users need to access it from both the internal and external networks.
Here is a step-by-step guide on how to configure NAT loopback:
To configure NAT loopback, you will need to have a network infrastructure that supports it. Start by creating a new Ecosystem, if you don’t already have one set up.
To enable VPN connectivity, you need to create a WireGuard gateway object. This object will be used to configure VPN connectivity to the ecosystem.
Connect a virtual machine running a web server to the ecosystem using WireGuard VPN. This VM will serve as the target server for NAT loopback.
Create an Allocated-IP object for the web server. This IP address will be used to access the server from the internet.
Create a security policy that allows traffic from any source to any destination.
Create a NAT policy that maps the public IP address of the server to its private IP address. This policy should be configured to allow inbound traffic from any source.
Create a NAT policy that allows users connected to the VPN to access the web server using its public IP address. This policy should be configured to allow traffic from the VPN subnet to the Allocated-IP object.
Create a Thing Device object for the VPN users (things) that will be connecting to the ecosystem. This object will be used to configure VPN connectivity for the users.
As a user, connect to the ecosystem using Acreto Connect Client (VPN) to establish a VPN connection.
As a VPN user, connect to the web server using the Allocated-IP object. This will allow you to access the server using its public IP address, even if you are on the internal network.
Usually the Orgazniations use Acreto to secure the WebServer or MailServer. If the server is connected to Acreto Ecosystem, and is properly isolated and secured, then to access that Server users may choose to connect:
Option 4. requires NAT loopback, to allow redirection of the traffic that is originated in local network (source IPs are local), but the destination is Public IP. The loopback policy allows to divert back the traffic to Local IP of the Server.
The benefit from this NAT Loopback (Hairpin NAT) configuration is for the End-Users.
End-Users can connect the Server using it’s DNS name from any location (inside Ecosystem while connected using VPN such as Acreto Connect Client), or from the Internet.