How To Setup NAT Loopback

Before You Start



In this article, you’ll learn how to setup NAT loopback, also knowns as hairpin NAT.


In order to setup NAT loopback, you will need:

  1. Active Acreto Ecosystem

The Purpose of NAT Loopback, known as Hairpin NAT

NAT loopback, also known as Hairpin NAT, is a technique that allows users on the internal network to access a server on the same network using its public IP address.

This can be useful in situations where the server is configured to use a public IP address, and users need to access it from both the internal and external networks.

Here is a step-by-step guide on how to configure NAT loopback:

How To Steps

Step 1: Create a new ecosystem

To configure NAT loopback, you will need to have a network infrastructure that supports it. Start by creating a new Ecosystem, if you don’t already have one set up.

Step 2: Create a WireGuard gateway object

To enable VPN connectivity, you need to create a WireGuard gateway object. This object will be used to configure VPN connectivity to the ecosystem.

Step 3: Connect a VM running a WebServer using WireGuard VPN to the Ecosystem

Connect a virtual machine running a web server to the ecosystem using WireGuard VPN. This VM will serve as the target server for NAT loopback.

Step 4: Create an Allocated-IP object for the WebServer

Create an Allocated-IP object for the web server. This IP address will be used to access the server from the internet.

Step 5: Create a security policy: “any to any”

Create a security policy that allows traffic from any source to any destination.

Step 6: Create a NAT policy: DNAT (inbound)

Create a NAT policy that maps the public IP address of the server to its private IP address. This policy should be configured to allow inbound traffic from any source.

Step 7: Create a NAT policy: NAT-loopback/NAT-U-turn

Create a NAT policy that allows users connected to the VPN to access the web server using its public IP address. This policy should be configured to allow traffic from the VPN subnet to the Allocated-IP object.

Step 8: Create a Thing Device object

Create a Thing Device object for the VPN users (things) that will be connecting to the ecosystem. This object will be used to configure VPN connectivity for the users.

Step 9: Connect to the Ecosystem with Acreto Connect Client (VPN)

As a user, connect to the ecosystem using Acreto Connect Client (VPN) to establish a VPN connection.

Step 10: Connect to the WebServer using the Allocated-IP

As a VPN user, connect to the web server using the Allocated-IP object. This will allow you to access the server using its public IP address, even if you are on the internal network.

Frequently Asked Questions

Q1: Why do I need to setup NAT Loopback, known as Hairpin NAT?

Usually the Orgazniations use Acreto to secure the WebServer or MailServer. If the server is connected to Acreto Ecosystem, and is properly isolated and secured, then to access that Server users may choose to connect:

  1. Using server’s Local IP
  2. Using public IP when connecting from Internet
  3. Using DNS name (which points to public IP) when connecting from Internet, so in fact it’s the same as option 2.
  4. Using DNS name or public IP when connecting using VPN (via Acreto)

Option 4. requires NAT loopback, to allow redirection of the traffic that is originated in local network (source IPs are local), but the destination is Public IP. The loopback policy allows to divert back the traffic to Local IP of the Server.


The benefit from this NAT Loopback (Hairpin NAT) configuration is for the End-Users.

End-Users can connect the Server using it’s DNS name from any location (inside Ecosystem while connected using VPN such as Acreto Connect Client), or from the Internet.

Next page: Identity Providers Overview