Can't telnet to external interface after NAT overload

Unanswered Question
Jun 29th, 2007
User Badges:

Hi Sir,

After I configured NAT overload as follows:


int f 0/0

desc *** Inside Interface - Private Address ***

ip address

ip nat inside


int s 0/0

desc *** Outside Interface - Public Address ***

ip address

ip nat outside


ip route


access-list 100 permit ip any


ip nat inside source list 100 interface s0/0 overload


No external host can telnet to its IP address It seems like the router changes the destination TCP port to some other port numbers. Is this normal behavior of NAT overload?

To work around the issue, I added the following static nat command:


ip nat inside source static tcp 23 interface s0/0 23


It seems to work, i.e. the router PATs internal source addresses to like usual, and also external host can now telnet to IP address

Can anyone verify this is the correct workaround?

Thank you.


Lim TS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Jon Marshall Mon, 07/02/2007 - 01:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Lim

Yes you have configured it correctly. When you do nat overload outgoing for inside addresses if you want to access internal services (or in your case the router interface) from outside hosts you need a port translation setup.


winstoncheng Thu, 08/02/2007 - 07:07
User Badges:

I'm having the same problem (cannot connect through telnet nor SSH) and found this thread, but the line confuses me a little:

ip nat inside source static tcp 23 interface s0/0 23 is the internal or external IP of the router?

My current line is:

ip nat inside source static tcp 23 interface Dialer0 23

Should I change it to:

ip nat inside source static tcp Dialer0 23 Dialer0 23

Sorry, I'm at the office and the router is at home, I can't grab a full configuration atm. I don't currently have other access lists outside of the:

access-list 1 permit

PatsFan12 Thu, 08/02/2007 - 16:10
User Badges:

Use a loopback address. Then do the static nt overload command for it such as:

ip nat inside source static tcp 23 23 overload

Then from the outside you will be able to telnet and it is somewhat more secure too.

limtohsoon Thu, 08/02/2007 - 18:51
User Badges:


In my example scenario, the router is connected to a fixed-IP ADSL line. I should have used interface Fas0/1 for the outside interface in my illustration, instead of int S0/0.

Anyway, the ISP assigns only one public IP address to my router, i.e.

Your method uses the loopback IP as the inside local IP address in the static nat statement. I suppose your loopback IP should be private address.

My method uses the public IP itself as the inside local IP address in the static nat statement. Can you kindly explain why your way is somewhat more secure? I somehow not able to figure it out.

Secondly, the "overload" keyword is not available at the end of the command.

I do have a private loopback IP address on the router because I'm configuring DMVPN.

Thank you.


Lim TS


This Discussion