Can't telnet to external interface after NAT overload

Unanswered Question
Jun 29th, 2007
User Badges:

Hi Sir,


After I configured NAT overload as follows:


!

int f 0/0

desc *** Inside Interface - Private Address ***

ip address 10.10.10.1 255.255.255.0

ip nat inside

!

int s 0/0

desc *** Outside Interface - Public Address ***

ip address 1.1.1.1 255.255.255.252

ip nat outside

!

ip route 0.0.0.0 0.0.0.0 1.1.1.2

!

access-list 100 permit ip 10.10.10.0 0.0.0.255 any

!

ip nat inside source list 100 interface s0/0 overload

!


No external host can telnet to its IP address 1.1.1.1. It seems like the router changes the destination TCP port to some other port numbers. Is this normal behavior of NAT overload?


To work around the issue, I added the following static nat command:


!

ip nat inside source static tcp 1.1.1.1 23 interface s0/0 23

!


It seems to work, i.e. the router PATs internal source addresses to 1.1.1.1 like usual, and also external host can now telnet to IP address 1.1.1.1.


Can anyone verify this is the correct workaround?



Thank you.


B.Rgds,

Lim TS


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jon Marshall Mon, 07/02/2007 - 01:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Lim


Yes you have configured it correctly. When you do nat overload outgoing for inside addresses if you want to access internal services (or in your case the router interface) from outside hosts you need a port translation setup.


Jon

winstoncheng Thu, 08/02/2007 - 07:07
User Badges:

I'm having the same problem (cannot connect through telnet nor SSH) and found this thread, but the line confuses me a little:

ip nat inside source static tcp 1.1.1.1 23 interface s0/0 23

1.1.1.1 is the internal or external IP of the router?


My current line is:

ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23


Should I change it to:

ip nat inside source static tcp Dialer0 23 Dialer0 23


Sorry, I'm at the office and the router is at home, I can't grab a full configuration atm. I don't currently have other access lists outside of the:

access-list 1 permit 192.168.1.0 0.0.0.255

PatsFan12 Thu, 08/02/2007 - 16:10
User Badges:

Use a loopback address. Then do the static nt overload command for it such as:


ip nat inside source static tcp 23 1.2.3.4 23 overload


Then from the outside you will be able to telnet and it is somewhat more secure too.

limtohsoon Thu, 08/02/2007 - 18:51
User Badges:

Hi,


In my example scenario, the router is connected to a fixed-IP ADSL line. I should have used interface Fas0/1 for the outside interface in my illustration, instead of int S0/0.


Anyway, the ISP assigns only one public IP address to my router, i.e. 1.1.1.1/30.


Your method uses the loopback IP as the inside local IP address in the static nat statement. I suppose your loopback IP should be private address.


My method uses the public IP itself as the inside local IP address in the static nat statement. Can you kindly explain why your way is somewhat more secure? I somehow not able to figure it out.


Secondly, the "overload" keyword is not available at the end of the command.


I do have a private loopback IP address on the router because I'm configuring DMVPN.



Thank you.


B.Rgds,

Lim TS


Actions

This Discussion